From owner-freebsd-virtualization@freebsd.org Wed Oct 9 14:04:00 2019 Return-Path: Delivered-To: freebsd-virtualization@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 5DA0914CC54 for ; Wed, 9 Oct 2019 14:04:00 +0000 (UTC) (envelope-from groenveld@acm.org) Received: from mail.groenveld.us (mail.groenveld.us [207.68.114.134]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 46pGCz1qXXz4Sxy for ; Wed, 9 Oct 2019 14:03:58 +0000 (UTC) (envelope-from groenveld@acm.org) Received: from mail.groenveld.us (localhost [127.0.0.1]) by mail.groenveld.us (8.14.4+Sun/8.14.4) with ESMTP id x99E3oZM004443 for ; Wed, 9 Oct 2019 10:03:50 -0400 (EDT) Message-Id: <201910091403.x99E3oZM004443@groenveld.us> From: John D Groenveld X-uri: To: freebsd-virtualization@freebsd.org Subject: Re: sysutils/grub2-bhyve: CURRENT build breaks on "gets" security hole In-reply-to: Your message of "Tue, 08 Oct 2019 17:52:08 -0300." References: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <4441.1570629830.1@mail.groenveld.us> Content-Transfer-Encoding: quoted-printable Date: Wed, 09 Oct 2019 10:03:50 -0400 X-Rspamd-Queue-Id: 46pGCz1qXXz4Sxy X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=softfail (mx1.freebsd.org: 207.68.114.134 is neither permitted nor denied by domain of groenveld@acm.org) smtp.mailfrom=groenveld@acm.org X-Spamd-Result: default: False [-1.88 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.94)[-0.938,0]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-0.99)[-0.987,0]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-virtualization@freebsd.org]; TO_DN_NONE(0.00)[]; R_SPF_SOFTFAIL(0.00)[~all]; RCPT_COUNT_ONE(0.00)[1]; RCVD_TLS_LAST(0.00)[]; DMARC_NA(0.00)[acm.org]; IP_SCORE(0.15)[asn: 701(0.79), country: US(-0.05)]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:701, ipnet:207.68.96.0/19, country:US]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-virtualization@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Discussion of various virtualization techniques FreeBSD supports." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Oct 2019 14:04:00 -0000 In message , =3D?UTF-8?Q?S= =3Dc3=3Da9r gio_Siegrist?=3D writes: >grub2-bhyve fails to compile with this error: >gcc8 -DHAVE_CONFIG_H -I. -I../.. -I../../intl -MT argp-eexst.o -MD -MP = >-MF .deps/argp-eexst.Tpo -c -o argp-eexst.o argp-eexst.c >In file included from argp.h:22, >from argp-eexst.c:25: >./stdio.h:456:1: error: 'gets' undeclared here (not in a function); did = >you mean 'getw'? >_GL_WARN_ON_USE (gets, "gets is a security hole - use fgets instead"); >^~~~~~~~~~~~~~~ >gmake[5]: *** [Makefile:1030: argp-eexst.o] Error 1 > > >I suppose replacing 'gets' with 'fgets' should fix it. I think the compiler is flagging the attempt in stdio.h to flag the use of gets(3) as gets(3) has been removed from the C standard and the C library. = The package builds without the check. $ cat files/patch-grub-core_gnulib_stdio.in.h @@ -137,12 +137,6 @@ _GL_WARN_ON_USE (fflush, "fflush is not always POSIX = compliant - " "use gnulib module fflush for portable POSIX compliance"= ); #endif -/* It is very rare that the developer ever has full control of stdin, - so any use of gets warrants an unconditional warning. Assume it is - always declared, since it is required by C89. */ -#undef gets -_GL_WARN_ON_USE (gets, "gets is a security hole - use fgets instead"); - #if @GNULIB_FOPEN@ # if @REPLACE_FOPEN@ # if !(defined __cplusplus && defined GNULIB_NAMESPACE) John groenveld@acm.org