On ncurses-6.3 with extra printf() annotations gcc now detects
use of user input in place of format strings:
lib/renderers/curses/curses.c:234:9:
error: format not a string literal and no format arguments [-Werror=format-security]
234 | mvprintw(0, 0, menu->title);
| ^~~~~~~~
On ncurses-6.3 with extra printf() annotations gcc now detects
use of user input in place of format strings:
ecasignalview.cpp:360:13:
error: format not a string literal and no format arguments [-Werror=format-security]
360 | mvprintw(r++, 0, bar);
| ~~~~~~~~^~~~~~~~~~~~~
Tor browser enables multi-process support in firefox to sandbox each site
in its own process. This is a very important security feature. It was
disabled in the nixpkgs version, according to a comment due to "crashing
tabs", but running with it enabled I have not been able to recreate this.
Sandboxing enabled is the upstream default, and if we can't ship a tor
browser that way then we should not ship one at all.
Also re-enable useHardenedMalloc to use graphene-hardened-malloc. Here
there was also a comment, in this case saying it caused "crashes with
intel driver". I have also been unable to recreate this on my Intel
UHD P630 onboard graphics.
I believe neither of these are issues any longer.
in release 0.21.2 @ 20-Jul-2021 (Gtk+3)
Small addition in our speedometer CSS theme: window titlebar is now in dark mode too
Learned how to leave out annoying autotools reconfigure rules from Makefiles via AM_MAINTAINER_MODE macro
Why? working with most recent autotools version <> older autotools version on most systems <> users are not necessarily developers ...
Improvements for Wayland (CentOS Stream / OpenSUSE Tumbleweed)
Menu "Online info" core dumps due to "toplevel" window problem
Check "Gdk-CRITICAL gdk_monitor_get_workarea: assertion 'GDK_IS_MONITOR ()' failed"
gtk_window_set_transient_for(window, parent)
Not working GBC-widget (gamma, brightness, contrast)
in release 0.21.1 @ 01-May-2021 (Gtk+3)
Require libpng >= 1.6.0 for Ubuntu's sake
Added in GUI resizing to fifth and quint
Secured two sprintf() statements
Updated Inno Setup file for Gtk+3 dependencies
Fresh update of application icon
GIF89a: write "XMedCon" in application block
Naive concatenation of $LD_LIBRARY_PATH can result in an empty
colon-delimited segment; this tells glibc to load libraries from the
current directory, which is definitely wrong, and may be a security
vulnerability if the current directory is untrusted. (See #67234, for
example.) Fix this throughout the tree.
Followup to #76804. Fixes#144646.
Signed-off-by: Anders Kaseorg <andersk@mit.edu>
