Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 704830 (CVE-2019-14462, CVE-2019-14463) - <dev-libs/libmodbus-3.1.6: multiple vulnerabilities (CVE-2019-{14462,14463})
Summary: <dev-libs/libmodbus-3.1.6: multiple vulnerabilities (CVE-2019-{14462,14463})
Alias: CVE-2019-14462, CVE-2019-14463
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [noglsa cve]
Depends on:
Reported: 2020-01-05 17:56 UTC by Richard Ash
Modified: 2020-04-21 23:09 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---
stable-bot: sanity-check+

Patch to update ebuild (libmodbus-3.1.6.ebuild.patch,505 bytes, patch)
2020-01-05 17:59 UTC, Richard Ash
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Richard Ash 2020-01-05 17:56:46 UTC
dev-libs/libmodbus-3.1.6 has been released. The same ebuild and patch work correctly for the newer package version.

Reproducible: Always

Steps to Reproduce:
1.Rename dev-libs/libmodbus-3.1.4.ebuild to dev-libs/libmodbus-3.1.6.ebuild
2.Change keywords back to ~arch, adjust patch specification to keep versioned patch applied.
3.ebuild digest, unmask and emerge
Comment 1 Richard Ash 2020-01-05 17:59:56 UTC
Created attachment 602616 [details, diff]
Patch to update ebuild

This patch adds ~arch keywords and changes the PATCHES variable to keep using the patch already in the portage tree.

Signed-off-by: Richard Ash <>
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2020-01-05 19:38:31 UTC
This looks very much like a security bug fix of a security bug fix.
Comment 3 Richard Ash 2020-01-05 22:53:45 UTC
The immediately vulnerable version is 3.1.5 which never made it into tree. However the VD numbers are listed as "libmodbus before 3.0.7 and 3.1.x before 3.1.5", so the issues do go back to 3.1.4 (currently in tree). This wasn't why I was bumping my build ...

The corresponding CVEs:
Comment 4 Larry the Git Cow gentoo-dev 2020-03-02 15:24:15 UTC
The bug has been referenced in the following commit(s):

commit 5dda1812d8300dc620b580bde40f57c88c0d0153
Author:     Thomas Deutschmann <>
AuthorDate: 2020-03-02 15:23:41 +0000
Commit:     Thomas Deutschmann <>
CommitDate: 2020-03-02 15:24:07 +0000

    dev-libs/libmodbus: bump to v3.1.6
    Package-Manager: Portage-2.3.90, Repoman-2.3.20
    Signed-off-by: Thomas Deutschmann <>

 dev-libs/libmodbus/Manifest               |  1 +
 dev-libs/libmodbus/libmodbus-3.1.6.ebuild | 33 +++++++++++++++++++++++++++++++
 2 files changed, 34 insertions(+)
Comment 5 Agostino Sarubbo gentoo-dev 2020-03-03 14:37:15 UTC
x86 stable
Comment 6 Agostino Sarubbo gentoo-dev 2020-03-03 15:13:56 UTC
amd64 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 7 Larry the Git Cow gentoo-dev 2020-03-16 06:22:20 UTC
The bug has been referenced in the following commit(s):

commit 3c636e42127d337cd2c987418d0951a9530b6e6e
Author:     Sam James (sam_c) <>
AuthorDate: 2020-03-15 21:36:41 +0000
Commit:     Michał Górny <>
CommitDate: 2020-03-16 06:22:15 +0000

    dev-libs/libmodbus: Drop vulnerable ebuild
    =dev-libs/libmodbus-3.1.4 is vulnerable, so drop it.
    Signed-off-by: Sam James (sam_c) <>
    Signed-off-by: Michał Górny <>

 dev-libs/libmodbus/Manifest               |  1 -
 dev-libs/libmodbus/libmodbus-3.1.4.ebuild | 33 -------------------------------
 2 files changed, 34 deletions(-)
Comment 8 Thomas Deutschmann (RETIRED) gentoo-dev 2020-03-25 20:06:16 UTC
GLSA Vote: No

Repository is clean, all done!