sysutils/grub2-bhyve: CURRENT build breaks on "gets" security hole

John D Groenveld groenveld at acm.org
Wed Oct 9 14:04:00 UTC 2019


In message <b5dee193-1b45-0438-2d84-1e9ecb7297c5 at gmail.com>, =?UTF-8?Q?S=c3=a9r
gio_Siegrist?= writes:
>grub2-bhyve fails to compile with this error:
>gcc8 -DHAVE_CONFIG_H -I. -I../.. -I../../intl -MT argp-eexst.o -MD -MP 
>-MF .deps/argp-eexst.Tpo -c -o argp-eexst.o argp-eexst.c
>In file included from argp.h:22,
>from argp-eexst.c:25:
>./stdio.h:456:1: error: 'gets' undeclared here (not in a function); did 
>you mean 'getw'?
>_GL_WARN_ON_USE (gets, "gets is a security hole - use fgets instead");
>^~~~~~~~~~~~~~~
>gmake[5]: *** [Makefile:1030: argp-eexst.o] Error 1
>
>
>I suppose replacing 'gets' with 'fgets' should fix it.

I think the compiler is flagging the attempt in stdio.h to flag
the use of gets(3) as gets(3) has been removed from the C standard
and the C library. 

The package builds without the check.
$ cat files/patch-grub-core_gnulib_stdio.in.h
@@ -137,12 +137,6 @@ _GL_WARN_ON_USE (fflush, "fflush is not always POSIX compliant - "
                  "use gnulib module fflush for portable POSIX compliance");
 #endif

-/* It is very rare that the developer ever has full control of stdin,
-   so any use of gets warrants an unconditional warning.  Assume it is
-   always declared, since it is required by C89.  */
-#undef gets
-_GL_WARN_ON_USE (gets, "gets is a security hole - use fgets instead");
-
 #if @GNULIB_FOPEN@
 # if @REPLACE_FOPEN@
 #  if !(defined __cplusplus && defined GNULIB_NAMESPACE)

John
groenveld at acm.org


More information about the freebsd-virtualization mailing list