dev-libs/libmodbus-3.1.6 has been released. The same ebuild and patch work correctly for the newer package version. Reproducible: Always Steps to Reproduce: 1.Rename dev-libs/libmodbus-3.1.4.ebuild to dev-libs/libmodbus-3.1.6.ebuild 2.Change keywords back to ~arch, adjust patch specification to keep versioned patch applied. 3.ebuild digest, unmask and emerge
Created attachment 602616 [details, diff] Patch to update ebuild This patch adds ~arch keywords and changes the PATCHES variable to keep using the patch already in the portage tree. Signed-off-by: Richard Ash < richard@audacityteam.org>
This looks very much like a security bug fix of a security bug fix.
The immediately vulnerable version is 3.1.5 which never made it into tree. However the VD numbers are listed as "libmodbus before 3.0.7 and 3.1.x before 3.1.5", so the issues do go back to 3.1.4 (currently in tree). This wasn't why I was bumping my build ... The corresponding CVEs: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14462 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14463
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5dda1812d8300dc620b580bde40f57c88c0d0153 commit 5dda1812d8300dc620b580bde40f57c88c0d0153 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2020-03-02 15:23:41 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2020-03-02 15:24:07 +0000 dev-libs/libmodbus: bump to v3.1.6 Bug: https://bugs.gentoo.org/704830 Package-Manager: Portage-2.3.90, Repoman-2.3.20 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> dev-libs/libmodbus/Manifest | 1 + dev-libs/libmodbus/libmodbus-3.1.6.ebuild | 33 +++++++++++++++++++++++++++++++ 2 files changed, 34 insertions(+)
x86 stable
amd64 stable. Maintainer(s), please cleanup. Security, please vote.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3c636e42127d337cd2c987418d0951a9530b6e6e commit 3c636e42127d337cd2c987418d0951a9530b6e6e Author: Sam James (sam_c) <sam@cmpct.info> AuthorDate: 2020-03-15 21:36:41 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2020-03-16 06:22:15 +0000 dev-libs/libmodbus: Drop vulnerable ebuild =dev-libs/libmodbus-3.1.4 is vulnerable, so drop it. Bug: https://bugs.gentoo.org/704830 Signed-off-by: Sam James (sam_c) <sam@cmpct.info> Closes: https://github.com/gentoo/gentoo/pull/14974 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-libs/libmodbus/Manifest | 1 - dev-libs/libmodbus/libmodbus-3.1.4.ebuild | 33 ------------------------------- 2 files changed, 34 deletions(-)
GLSA Vote: No Repository is clean, all done!
