Mark mcpp CVE-2019-14274 as fixed (#3253)

2022-06-28 13:40:01 -07:00 · 2022-06-28 13:40:01 -07:00 · 14c45b90c0
--- a/SPECS/mcpp/mcpp.spec
+++ b/SPECS/mcpp/mcpp.spec
@ -2,7 +2,7 @@
 Summary:        Alternative C/C++ preprocessor
 Name:           mcpp
 Version:        2.7.2
-Release:        27%{?dist}
+Release:        28%{?dist}
 License:        BSD
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@ -10,6 +10,7 @@ URL:            http://mcpp.sourceforge.net/
 Source0:        https://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.gz
 Patch0:         mcpp-manual.html.patch
 # Extracted from http://www.zeroc.com/download/Ice/3.4/ThirdParty-Sources-3.4.2.tar.gz
+# Also responsible for fixing CVE-2019-14274
 Patch1:         patch.mcpp.2.7.2
 # https://bugzilla.redhat.com/show_bug.cgi?id=948860
 Patch2:         mcpp-man.patch
@ -88,6 +89,9 @@ rm -f %{buildroot}%{_libdir}/libmcpp.la
 %lang(ja) %doc doc-jp/mcpp-manual-jp.html

 %changelog
+* Mon Jun 27 2022 Daniel McIlvaney <damcilva@microsoft.com> - 2.7.2-28
+- Add inline comments to patch.mcpp.2.7.2 patch file to indicate it fixes CVE-2019-14274.
+
 * Wed Dec 08 2021 Thomas Crain <thcrain@microsoft.com> - 2.7.2-27
 - License verified
 - Lint spec
--- a/SPECS/mcpp/patch.mcpp.2.7.2
+++ b/SPECS/mcpp/patch.mcpp.2.7.2
@ -1,3 +1,5 @@
+# This patch file also fixes CVE-2019-14274, see inline comments below for exact chunks - damcilva 2022-06-27
+
 diff -r -c -N ../mcpp-2.7.2-old/noconfig/vc2010.dif ./noconfig/vc2010.dif
 *** ../mcpp-2.7.2-old/noconfig/vc2010.dif	Wed Dec 31 20:30:00 1969
 --- ./noconfig/vc2010.dif	Fri May 14 12:47:22 2010
@ -130,6 +132,7 @@ diff -r -c -N ../mcpp-2.7.2-old/src/support.c ./src/support.c
      size_t      length
  )
  {
+# This chunk fixes CVE-2019-14274 - damcilva 2022-06-27
 !     if (mem_buf_p->bytes_avail < length + 1) {  /* Need to allocate more memory */
          size_t size = MAX( BUF_INCR_SIZE, length);
  
@ -140,6 +143,7 @@ diff -r -c -N ../mcpp-2.7.2-old/src/support.c ./src/support.c
                      sp -= 2;
                      while (*sp != '\n')     /* Until end of line    */
                          mcpp_fputc( *sp++, OUT);
+# This chunk fixes CVE-2019-14274 - damcilva 2022-06-27
 +                     mcpp_fputc( '\n', OUT);
 +                     wrong_line = TRUE;
                  }