diff --git a/Misc/NEWS.d/next/Security/2024-07-30-17-34-47.gh-issue-112301.8J8WhZ.rst b/Misc/NEWS.d/next/Security/2024-07-30-17-34-47.gh-issue-112301.8J8WhZ.rst new file mode 100644 index 00000000000000..2efc88ec22171d --- /dev/null +++ b/Misc/NEWS.d/next/Security/2024-07-30-17-34-47.gh-issue-112301.8J8WhZ.rst @@ -0,0 +1 @@ +Add ``-Wformat=2`` to ``NODIST`` build flags to warn about potential vulnerabilities related to format strings. diff --git a/Python/getversion.c b/Python/getversion.c index 226b2f999a6bfd..0c4207fa353a66 100644 --- a/Python/getversion.c +++ b/Python/getversion.c @@ -15,12 +15,12 @@ void _Py_InitVersion(void) } initialized = 1; #ifdef Py_GIL_DISABLED - const char *buildinfo_format = "%.80s experimental free-threading build (%.80s) %.80s"; + PyOS_snprintf(version, sizeof(version), "%.80s experimental free-threading build (%.80s) %.80s", + PY_VERSION, Py_GetBuildInfo(), Py_GetCompiler()); #else - const char *buildinfo_format = "%.80s (%.80s) %.80s"; -#endif - PyOS_snprintf(version, sizeof(version), buildinfo_format, + PyOS_snprintf(version, sizeof(version), "%.80s (%.80s) %.80s", PY_VERSION, Py_GetBuildInfo(), Py_GetCompiler()); +#endif } const char * diff --git a/Tools/build/.warningignore_macos b/Tools/build/.warningignore_macos index e72309229cc60f..a3a8cdf73cda57 100644 --- a/Tools/build/.warningignore_macos +++ b/Tools/build/.warningignore_macos @@ -3,7 +3,13 @@ # Keep lines sorted lexicographically to help avoid merge conflicts. # Format example: # /path/to/file (number of warnings in file) +Modules/_ctypes/_ctypes_test.c 1 +Modules/_ctypes/callbacks.c 1 Modules/expat/siphash.h 7 Modules/expat/xmlparse.c 8 Modules/expat/xmltok.c 3 Modules/expat/xmltok_impl.c 26 +Objects/mimalloc/ * +Python/pylifecycle.c 1 +Python/sysmodule.c 1 +Python/tracemalloc.c 1 \ No newline at end of file diff --git a/configure b/configure index 0cc73e4e66552d..6afc98d449d599 100755 --- a/configure +++ b/configure @@ -9769,6 +9769,45 @@ then : else $as_nop { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: -Wtrampolines not supported" >&5 printf "%s\n" "$as_me: WARNING: -Wtrampolines not supported" >&2;} +fi + + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -Wformat -Wformat=2" >&5 +printf %s "checking whether C compiler accepts -Wformat -Wformat=2... " >&6; } +if test ${ax_cv_check_cflags__Werror__Wformat__Wformat_2+y} +then : + printf %s "(cached) " >&6 +else $as_nop + + ax_check_save_flags=$CFLAGS + CFLAGS="$CFLAGS -Werror -Wformat -Wformat=2" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main (void) +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO" +then : + ax_cv_check_cflags__Werror__Wformat__Wformat_2=yes +else $as_nop + ax_cv_check_cflags__Werror__Wformat__Wformat_2=no +fi +rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext + CFLAGS=$ax_check_save_flags +fi +{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags__Werror__Wformat__Wformat_2" >&5 +printf "%s\n" "$ax_cv_check_cflags__Werror__Wformat__Wformat_2" >&6; } +if test "x$ax_cv_check_cflags__Werror__Wformat__Wformat_2" = xyes +then : + CFLAGS_NODIST="$CFLAGS_NODIST -Wformat -Wformat=2" +else $as_nop + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: -Wformat and -Wformat=2 not supported" >&5 +printf "%s\n" "$as_me: WARNING: -Wformat and -Wformat=2 not supported" >&2;} fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -Wimplicit-fallthrough" >&5 diff --git a/configure.ac b/configure.ac index 1864e94ace9243..49699aaed04cc7 100644 --- a/configure.ac +++ b/configure.ac @@ -2514,6 +2514,7 @@ if test "$enable_safety" = "yes" then AX_CHECK_COMPILE_FLAG([-fstack-protector-strong], [CFLAGS_NODIST="$CFLAGS_NODIST -fstack-protector-strong"], [AC_MSG_WARN([-fstack-protector-strong not supported])], [-Werror]) AX_CHECK_COMPILE_FLAG([-Wtrampolines], [CFLAGS_NODIST="$CFLAGS_NODIST -Wtrampolines"], [AC_MSG_WARN([-Wtrampolines not supported])], [-Werror]) + AX_CHECK_COMPILE_FLAG([-Wformat -Wformat=2], [CFLAGS_NODIST="$CFLAGS_NODIST -Wformat -Wformat=2"], [AC_MSG_WARN([-Wformat and -Wformat=2 not supported])], [-Werror]) AX_CHECK_COMPILE_FLAG([-Wimplicit-fallthrough], [CFLAGS_NODIST="$CFLAGS_NODIST -Wimplicit-fallthrough"], [AC_MSG_WARN([-Wimplicit-fallthrough not supported])], [-Werror]) AX_CHECK_COMPILE_FLAG([-Werror=format-security], [CFLAGS_NODIST="$CFLAGS_NODIST -Werror=format-security"], [AC_MSG_WARN([-Werror=format-security not supported])], [-Werror]) AX_CHECK_COMPILE_FLAG([-Wbidi-chars=any], [CFLAGS_NODIST="$CFLAGS_NODIST -Wbidi-chars=any"], [AC_MSG_WARN([-Wbidi-chars=any not supported])], [-Werror])