Hi, Here's the proposed debdiff for patching current version in Sid.
Thomas Goirand (zigo)
diff -Nru mongodb-2.4.3/debian/changelog mongodb-2.4.3/debian/changelog --- mongodb-2.4.3/debian/changelog 2013-04-24 20:18:05.000000000 +0000 +++ mongodb-2.4.3/debian/changelog 2013-07-18 13:56:15.000000000 +0000 @@ -1,3 +1,11 @@ +mongodb (1:2.4.3-1.1) unstable; urgency=high + + * Non-maintainer upload. + * CVE-2013-4650 - fix allows remote authenticated users to obtain internal + system privileges (Closes: #715007). + + -- Thomas Goirand <[email protected]> Thu, 18 Jul 2013 13:55:23 +0000 + mongodb (1:2.4.3-1) unstable; urgency=low [ Jeff Epler ] diff -Nru mongodb-2.4.3/debian/patches/0008-CVE-2013-4650_do_not_lock_when_looking_up_for_system_user.patch mongodb-2.4.3/debian/patches/0008-CVE-2013-4650_do_not_lock_when_looking_up_for_system_user.patch --- mongodb-2.4.3/debian/patches/0008-CVE-2013-4650_do_not_lock_when_looking_up_for_system_user.patch 1970-01-01 00:00:00.000000000 +0000 +++ mongodb-2.4.3/debian/patches/0008-CVE-2013-4650_do_not_lock_when_looking_up_for_system_user.patch 2013-07-18 13:55:04.000000000 +0000 @@ -0,0 +1,50 @@ +Description: CVE-2013-4650 - fix allows remote authenticated users to obtain internal system privileges + MongoDB 2.4.x before 2.4.5 and 2.5.x before 2.5.1 allows remote + authenticated users to obtain internal system privileges by leveraging a + username of __system in an arbitrary database. + . + Do not needlessly lock when looking up privileges for the __system@local user +Author: Andy Schwerin +Bug-Debian: http://bugs.debian.org/715007 +Origin: https://github.com/mongodb/mongo/commit/23344f8b7506df694f66999693ee3c00dfd6afae +Last-Update: 2013-07-18 + +--- mongodb-2.4.3.orig/src/mongo/db/auth/authorization_manager.cpp ++++ mongodb-2.4.3/src/mongo/db/auth/authorization_manager.cpp +@@ -394,9 +394,21 @@ namespace { + _authenticatedPrincipals.add(principal); + if (!principal->isImplicitPrivilegeAcquisitionEnabled()) + return; ++ ++ const std::string dbname = principal->getName().getDB().toString(); ++ if (dbname == StringData("local", StringData::LiteralTag()) && ++ principal->getName().getUser() == internalSecurity.user) { ++ ++ // Grant full access to internal user ++ ActionSet allActions; ++ allActions.addAllActions(); ++ acquirePrivilege(Privilege(PrivilegeSet::WILDCARD_RESOURCE, allActions), ++ principal->getName()); ++ return; ++ } ++ + _acquirePrivilegesForPrincipalFromDatabase(ADMIN_DBNAME, principal->getName()); + principal->markDatabaseAsProbed(ADMIN_DBNAME); +- const std::string dbname = principal->getName().getDB().toString(); + _acquirePrivilegesForPrincipalFromDatabase(dbname, principal->getName()); + principal->markDatabaseAsProbed(dbname); + } +@@ -491,13 +503,6 @@ namespace { + << principal.getDB(), + 0); + } +- if (principal.getUser() == internalSecurity.user) { +- // Grant full access to internal user +- ActionSet allActions; +- allActions.addAllActions(); +- return acquirePrivilege(Privilege(PrivilegeSet::WILDCARD_RESOURCE, allActions), +- principal); +- } + return buildPrivilegeSet(dbname, principal, privilegeDocument, &_acquiredPrivileges); + } + diff -Nru mongodb-2.4.3/debian/patches/series mongodb-2.4.3/debian/patches/series --- mongodb-2.4.3/debian/patches/series 2013-04-24 20:18:05.000000000 +0000 +++ mongodb-2.4.3/debian/patches/series 2013-07-18 13:51:02.000000000 +0000 @@ -5,3 +5,4 @@ 0005-kfreebsd-does-not-have-sys-prctl.h.patch 0006-ARM-support-for-ASM-operations-in-MongoDB.patch 0007-Fix-ARM-alignment-problems.patch +0008-CVE-2013-4650_do_not_lock_when_looking_up_for_system_user.patch
