Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 718808 (CVE-2019-14274) - <dev-cpp/libmcpp-2.7.2_p5: Buffer overflow in do_msg() (CVE-2019-14274)
Summary: <dev-cpp/libmcpp-2.7.2_p5: Buffer overflow in do_msg() (CVE-2019-14274)
Status: RESOLVED FIXED
Alias: CVE-2019-14274
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-04-22 00:37 UTC by GLSAMaker/CVETool Bot
Modified: 2022-08-04 14:15 UTC (History)
1 user (show)

See Also:
Package list:
dev-cpp/libmcpp-2.7.2_p5
Runtime testing required: ---
nattka: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2020-04-22 00:37:06 UTC 
CVE-2019-14274 (https://nvd.nist.gov/vuln/detail/CVE-2019-14274):
  MCPP 2.7.2 has a heap-based buffer overflow in the do_msg() function in
  support.c.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-22 00:46:21 UTC 
Specific path according to Debian: https://salsa.debian.org/debian/mcpp/-/blob/master/debian/patches/05-gniibe-fix-13.patch

There are however various other patches in that directory which look useful and are possibly security-related. So please investigate applying those.
Comment 2 Larry the Git Cow gentoo-dev 2021-03-27 02:58:00 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ad7f93d52342c57be176764b89aed9ae401c7f8a

commit ad7f93d52342c57be176764b89aed9ae401c7f8a
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-03-27 01:27:41 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-03-27 02:57:36 +0000

    dev-cpp/libmcpp: (security) bump to 2.7.2_p5 (Debian)
    
    Easier to just use the Debian patchset here.
    
    Bug: https://bugs.gentoo.org/718808
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-cpp/libmcpp/Manifest                |  1 +
 dev-cpp/libmcpp/libmcpp-2.7.2_p5.ebuild | 50 +++++++++++++++++++++++++++++++++
 2 files changed, 51 insertions(+)
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-04-22 02:57:28 UTC 
x86 done
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-04-22 03:00:06 UTC 
amd64 done

all arches done
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-04-22 13:08:00 UTC 
Please cleanup.
Comment 6 Larry the Git Cow gentoo-dev 2021-06-12 17:30:19 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=95af7c77e3687fb248aeec1c40682ae78d8e64b2

commit 95af7c77e3687fb248aeec1c40682ae78d8e64b2
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2021-06-12 17:29:35 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2021-06-12 17:29:56 +0000

    dev-cpp/libmcpp: drop 2.7.2-r3
    
    Bug: https://bugs.gentoo.org/718808
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 dev-cpp/libmcpp/files/libmcpp-2.7.2-gniibe.patch | 33 -----------
 dev-cpp/libmcpp/files/libmcpp-2.7.2-zeroc.patch  | 75 ------------------------
 dev-cpp/libmcpp/libmcpp-2.7.2-r3.ebuild          | 47 ---------------
 3 files changed, 155 deletions(-)
Comment 7 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-04 04:17:20 UTC 
GLSA request filed.
Comment 8 Larry the Git Cow gentoo-dev 2022-08-04 14:02:14 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=3b3ef864e85e6987d910f13c95b41c711f44cda9

commit 3b3ef864e85e6987d910f13c95b41c711f44cda9
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-08-04 13:53:45 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-08-04 14:00:12 +0000

    [ GLSA 202208-04 ] libmcpp: Denial of service
    
    Bug: https://bugs.gentoo.org/718808
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202208-04.xml | 42 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)
Comment 9 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-04 14:15:32 UTC 
GLSA released, all done!