1 files changed, 39 insertions, 0 deletions

diff --git a/debian/patches/gcc-default-format-security.diff b/debian/patches/gcc-default-format-security.diff
new file mode 100644
index 0000000..f82ff5e
--- /dev/null
+++ b/debian/patches/gcc-default-format-security.diff
@@ -0,0 +1,39 @@
+# DP: Turn on -Wformat -Wformat-security by  default for C, C++, ObjC, ObjC++.
+
+Index: b/src/gcc/doc/invoke.texi
+===================================================================
+--- a/src/gcc/doc/invoke.texi
++++ b/src/gcc/doc/invoke.texi
+@@ -3799,6 +3799,11 @@ included in @option{-Wformat-nonliteral}
+ If @option{-Wformat} is specified, also warn if the format string
+ requires an unsigned argument and the argument is signed and vice versa.
+ 
++NOTE: In Ubuntu 8.10 and later versions this option is enabled by default
++for C, C++, ObjC, ObjC++.  To disable, use @option{-Wno-format-security},
++or disable all format warnings with @option{-Wformat=0}.  To make format
++security warnings fatal, specify @option{-Werror=format-security}.
++
+ @item -Wformat-y2k
+ @opindex Wformat-y2k
+ @opindex Wno-format-y2k
+Index: b/src/gcc/gcc.c
+===================================================================
+--- a/src/gcc/gcc.c
++++ b/src/gcc/gcc.c
+@@ -858,11 +858,14 @@ proper position among the other output f
+ #define LINK_GCC_C_SEQUENCE_SPEC "%G %L %G"
+ #endif
+ 
++/* no separate spec, just shove it into the ssp default spec */
++#define FORMAT_SECURITY_SPEC "%{!Wformat:%{!Wformat=2:%{!Wformat=0:%{!Wall:-Wformat} %{!Wno-format-security:-Wformat-security}}}}"
++
+ #ifndef SSP_DEFAULT_SPEC
+ #ifdef TARGET_LIBC_PROVIDES_SSP
+-#define SSP_DEFAULT_SPEC "%{!fno-stack-protector:%{!fstack-protector-all:%{!ffreestanding:%{!nostdlib:-fstack-protector}}}}"
++#define SSP_DEFAULT_SPEC "%{!fno-stack-protector:%{!fstack-protector-all:%{!ffreestanding:%{!nostdlib:-fstack-protector}}}} " FORMAT_SECURITY_SPEC
+ #else
+-#define SSP_DEFAULT_SPEC ""
++#define SSP_DEFAULT_SPEC FORMAT_SECURITY_SPEC
+ #endif
+ #endif
+