Package: release.debian.org Severity: normal Tags: bookworm User: [email protected] Usertags: pu
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 [ Reason ] Fix an assortment of <no-dsa> CVEs. [ Impact ] Without this update some memory corruption and application crash vulnerabilities will remain unresolved. [ Tests ] The patches are striaght cherry-picks of the relevant upstream commits, which have passed through extensive CI upstream and they have been available to users for between 6 and 18 months (both via upstream releases which include the fixes and the correspondending packages in Debian unstable/testing). [ Risks ] The risks are low. The 4 patches themselves in aggregate have the following extent: 4 files changed, 38 insertions(+), 12 deletions(-) The individual changes underwent substantial upstream scrutiny, including code reviews by multiple developers, manual testing during development, and the aforementioned extensive CI. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] (Explain *all* the changes) CVE-2023-0437: change type of loop indices to guard against overflow (cherry-picked with no changes required) CVE-2024-6381: iterate over a NULL-terminated string using a pointer (checking for the NULL to know when to stop) rather than an integer index (cherry-picked with no changes required) CVE-2024-6383: keep track of allocated string size during allocation and append operations to guard against buffer overflow and memory corruption (backported with the only change being to related to handling changed whitespace) CVE-2025-0755: keep track of allocated string size during append operations to guard against buffer overflow and memory corruption (cherry-picked with no changes required) [ Other info ] I was the primary developer of 2 of the 4 patches, and I am very confident in the team's processes around the other two patches. These changes pose a minimal regression risk, if any at all. -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEIYZ1DR4ae5UL01q7ldFmTdL1kUIFAmgC68gACgkQldFmTdL1 kUKx/g//TH+AFzBn/IjkBqMw7O3Kjv6H+b2i6/hd3M7x1H0OQB7pitqfHZUgnrlo CPZXldG7Is9SgC6ZBPUP88l+yrQ+yqzVUZRtgVS9xukLVefRoeM1/L/SbOnWMwtd p5Sllk9EhN9qBNrmwBkDRJJRVmz8GdUpDcH6gOvzKAUTlPsQctQ734usk17SgUAo 6OJoHfhj6JKjgjSPHYOz2L7nK1CXEYmB96i4whKck1gTZYdhMSm5dL2yW+kURHal pHSX6ZptX65hoVAQvz7oVXvTaeb7zUsI70wZphb2fq30m7v62rdkcf712Cddv1vV UgbQSZzzJKsrLwuarQ22zWAMKOk0xK3Du2eerEhS4ZSEUj+WCUiiVPUHYnY6Vx4V O3ImesZybqGT/B5oiWlYKdyOXG+bXfhXXyq0/WPStGrTufJpsj9Fmhxo404kQ6j5 4iHEq9EpHj6KxbhpVd9gM35oMBaD+ik3sl/EMAFtHZv9bf+k9LFwd1L8VA5EtE/T LGFpLanvkyRhSq3fl/NSy6KQQdOVV4+hP729MVpVyEajVbYmQF/kCa8RawmUSTiM fC5TRMxrUYCR/DoPbzI+vxKHoXcDyUtrRQozMgv2EAEuapyDCnoz3ikYzYEH2ULr aMIs891fqubJIiFkV+2eSO6Yf02kiPoZ2PqesBRgsM6FJ8EocAY= =1FUV -----END PGP SIGNATURE-----
diff -Nru mongo-c-driver-1.23.1/debian/changelog mongo-c-driver-1.23.1/debian/changelog --- mongo-c-driver-1.23.1/debian/changelog 2022-10-20 12:58:40.000000000 -0400 +++ mongo-c-driver-1.23.1/debian/changelog 2025-04-18 16:28:00.000000000 -0400 @@ -1,3 +1,24 @@ +mongo-c-driver (1.23.1-1+deb12u1) bookworm; urgency=medium + + * Fix CVE-2023-0437: When calling bson_utf8_validate on some inputs a loop + with an exit condition that cannot be reached may occur, i.e. an infinite + loop. + * Fix CVE-2024-6381: The bson_strfreev function in the MongoDB C driver + library may be susceptible to an integer overflow where the function will + try to free memory at a negative offset. This may result in memory + corruption. + * Fix CVE-2024-6383: The bson_string_append function in MongoDB C Driver may + be vulnerable to a buffer overflow where the function might attempt to + allocate too small of buffer and may lead to memory corruption of + neighbouring heap memory. + * Fix CVE-2025-0755: The various bson_append functions in the MongoDB C + driver library may be susceptible to buffer overflow when performing + operations that could result in a final BSON document which exceeds the + maximum allowable size (INT32_MAX), resulting in a segmentation fault and + possible application crash. + + -- Roberto C. Sanchez <[email protected]> Fri, 18 Apr 2025 16:28:00 -0400 + mongo-c-driver (1.23.1-1) unstable; urgency=medium * New upstream release diff -Nru mongo-c-driver-1.23.1/debian/gbp.conf mongo-c-driver-1.23.1/debian/gbp.conf --- mongo-c-driver-1.23.1/debian/gbp.conf 2022-10-20 12:58:40.000000000 -0400 +++ mongo-c-driver-1.23.1/debian/gbp.conf 2025-04-18 16:28:00.000000000 -0400 @@ -1,7 +1,6 @@ [DEFAULT] pristine-tar = False no-create-orig = True -pbuilder = True prebuild = bash -c " # Show execution trace @@ -13,11 +12,11 @@ zlib_rm_files=\"$(find src/zlib-* -mindepth 1 -maxdepth 1 \! -name zconf.h.in -printf '%p ')\" && # Create upstream tarball from reference, exclude items that do not belong pushd $GBP_GIT_DIR/.. && - git archive --format=tar --prefix=mongo-c-driver-\${upstream_version}/ HEAD | tar -f - --delete mongo-c-driver-\${upstream_version}/debian \$zlib_filter_files | gzip > $GBP_BUILD_DIR/../mongo-c-driver_\${upstream_version}.orig.tar.gz && + ( [ -f $GBP_BUILD_DIR/../mongo-c-driver_\${upstream_version}.orig.tar.gz ] || git archive --format=tar --prefix=mongo-c-driver-\${upstream_version}/ HEAD | tar -f - --delete mongo-c-driver-\${upstream_version}/debian \$zlib_filter_files | gzip > $GBP_BUILD_DIR/../mongo-c-driver_\${upstream_version}.orig.tar.gz ) && popd && rm -rf \$zlib_rm_files" upstream-tree = BRANCH -upstream-branch = r1.23 +upstream-branch = debian/bookworm upstream-tag = %(version)s -debian-branch = r1.23 +debian-branch = debian/bookworm diff -Nru mongo-c-driver-1.23.1/debian/patches/CVE-2023-0437.patch mongo-c-driver-1.23.1/debian/patches/CVE-2023-0437.patch --- mongo-c-driver-1.23.1/debian/patches/CVE-2023-0437.patch 1969-12-31 19:00:00.000000000 -0500 +++ mongo-c-driver-1.23.1/debian/patches/CVE-2023-0437.patch 2025-04-18 16:28:00.000000000 -0400 @@ -0,0 +1,29 @@ +From fd3a978b35cac8f3c78c4d9a1b08fd5aa4d440b8 Mon Sep 17 00:00:00 2001 +From: Kevin Albertson <[email protected]> +Date: Mon, 30 Oct 2023 18:01:30 +0000 +Subject: [PATCH] CDRIVER-4747 use `size_t` consistently in + `bson_utf8_validate` (#1458) + +Origin: https://github.com/mongodb/mongo-c-driver/commit/fd3a978b35cac8f3c78c4d9a1b08fd5aa4d440b8 +--- + src/libbson/src/bson/bson-utf8.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/libbson/src/bson/bson-utf8.c b/src/libbson/src/bson/bson-utf8.c +index d7e9168c96..ac7a1bddfe 100644 +--- a/src/libbson/src/bson/bson-utf8.c ++++ b/src/libbson/src/bson/bson-utf8.c +@@ -118,8 +118,8 @@ bson_utf8_validate (const char *utf8, /* IN */ + bson_unichar_t c; + uint8_t first_mask; + uint8_t seq_length; +- unsigned i; +- unsigned j; ++ size_t i; ++ size_t j; + + BSON_ASSERT (utf8); + +-- +2.39.5 + diff -Nru mongo-c-driver-1.23.1/debian/patches/CVE-2024-6381.patch mongo-c-driver-1.23.1/debian/patches/CVE-2024-6381.patch --- mongo-c-driver-1.23.1/debian/patches/CVE-2024-6381.patch 1969-12-31 19:00:00.000000000 -0500 +++ mongo-c-driver-1.23.1/debian/patches/CVE-2024-6381.patch 2025-04-18 16:28:00.000000000 -0400 @@ -0,0 +1,34 @@ +From effd95c34ad421df94eec7c69236f0e4172552d0 Mon Sep 17 00:00:00 2001 +From: Ezra Chung <[email protected]> +Date: Fri, 8 Mar 2024 13:09:07 -0600 +Subject: [PATCH] CDRIVER-5504 Use pointer-based iteration when traversing + array elements (#1552) + +Origin: https://github.com/mongodb/mongo-c-driver/commit/effd95c34ad421df94eec7c69236f0e4172552d0 +--- + src/libbson/src/bson/bson-string.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/libbson/src/bson/bson-string.c b/src/libbson/src/bson/bson-string.c +index 36c4c5ab49..958fd10666 100644 +--- a/src/libbson/src/bson/bson-string.c ++++ b/src/libbson/src/bson/bson-string.c +@@ -473,11 +473,11 @@ bson_strndup (const char *str, /* IN */ + void + bson_strfreev (char **str) /* IN */ + { +- int i; +- + if (str) { +- for (i = 0; str[i]; i++) +- bson_free (str[i]); ++ for (char **ptr = str; *ptr != NULL; ++ptr) { ++ bson_free (*ptr); ++ } ++ + bson_free (str); + } + } +-- +2.39.5 + diff -Nru mongo-c-driver-1.23.1/debian/patches/CVE-2024-6383.patch mongo-c-driver-1.23.1/debian/patches/CVE-2024-6383.patch --- mongo-c-driver-1.23.1/debian/patches/CVE-2024-6383.patch 1969-12-31 19:00:00.000000000 -0500 +++ mongo-c-driver-1.23.1/debian/patches/CVE-2024-6383.patch 2025-04-18 16:28:00.000000000 -0400 @@ -0,0 +1,77 @@ +From 7c34461863211be172e6317221d72e4429bed45e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Roberto=20C=2E=20S=C3=A1nchez?= <[email protected]> +Date: Fri, 3 May 2024 15:30:45 -0400 +Subject: [PATCH] CDRIVER-5552 more robust string handling (#1593) + +Co-authored-by: Kevin Albertson <[email protected]> + +Origin: https://github.com/mongodb/mongo-c-driver/commit/7c34461863211be172e6317221d72e4429bed45e +--- + src/libbson/src/bson/bson-string.c | 27 +++++++++++++++++++++------ + 1 file changed, 21 insertions(+), 6 deletions(-) + +--- a/src/libbson/src/bson/bson-string.c ++++ b/src/libbson/src/bson/bson-string.c +@@ -20,6 +20,7 @@ + + #include "bson-compat.h" + #include "bson-config.h" ++#include "bson-cmp.h" + #include "bson-string.h" + #include "bson-memory.h" + #include "bson-utf8.h" +@@ -61,16 +62,25 @@ + bson_string_new (const char *str) /* IN */ + { + bson_string_t *ret; ++ size_t len_sz; + + ret = bson_malloc0 (sizeof *ret); +- ret->len = str ? (int) strlen (str) : 0; ++ if (str) { ++ len_sz = strlen (str); ++ BSON_ASSERT (len_sz <= UINT32_MAX); ++ ret->len = (uint32_t) len_sz; ++ } else { ++ ret->len = 0; ++ } + ret->alloc = ret->len + 1; + + if (!bson_is_power_of_two (ret->alloc)) { +- ret->alloc = (uint32_t) bson_next_power_of_two ((size_t) ret->alloc); ++ len_sz = bson_next_power_of_two ((size_t) ret->alloc); ++ BSON_ASSERT (len_sz <= UINT32_MAX); ++ ret->alloc = (uint32_t) len_sz; + } + +- BSON_ASSERT (ret->alloc >= 1); ++ BSON_ASSERT (ret->alloc >= ret->len + 1); + + ret->str = bson_malloc (ret->alloc); + +@@ -125,17 +135,22 @@ + const char *str) /* IN */ + { + uint32_t len; ++ size_t len_sz; + + BSON_ASSERT (string); + BSON_ASSERT (str); + +- len = (uint32_t) strlen (str); ++ len_sz = strlen (str); ++ BSON_ASSERT (bson_in_range_unsigned (uint32_t, len_sz)); ++ len = (uint32_t) len_sz; + + if ((string->alloc - string->len - 1) < len) { ++ BSON_ASSERT (string->alloc <= UINT32_MAX - len); + string->alloc += len; + if (!bson_is_power_of_two (string->alloc)) { +- string->alloc = +- (uint32_t) bson_next_power_of_two ((size_t) string->alloc); ++ len_sz = bson_next_power_of_two ((size_t) string->alloc); ++ BSON_ASSERT (len_sz <= UINT32_MAX); ++ string->alloc = (uint32_t) len_sz; + } + string->str = bson_realloc (string->str, string->alloc); + } diff -Nru mongo-c-driver-1.23.1/debian/patches/CVE-2025-0755.patch mongo-c-driver-1.23.1/debian/patches/CVE-2025-0755.patch --- mongo-c-driver-1.23.1/debian/patches/CVE-2025-0755.patch 1969-12-31 19:00:00.000000000 -0500 +++ mongo-c-driver-1.23.1/debian/patches/CVE-2025-0755.patch 2025-04-18 16:28:00.000000000 -0400 @@ -0,0 +1,39 @@ +From d3cdb626be30748b9360451023c75438ec346a38 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Roberto=20C=2E=20S=C3=A1nchez?= <[email protected]> +Date: Tue, 16 Jul 2024 16:15:16 -0400 +Subject: [PATCH] CDRIVER-5601 more robust bson append (#1648) + +Co-authored-by: Kevin Albertson <[email protected]> +Co-authored-by: Ezra Chung <[email protected]> + +Origin: https://github.com/mongodb/mongo-c-driver/commit/d3cdb626be30748b9360451023c75438ec346a38 +--- + src/libbson/src/bson/bson.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/src/libbson/src/bson/bson.c b/src/libbson/src/bson/bson.c +index adc5ee2cc8..e29b2a771c 100644 +--- a/src/libbson/src/bson/bson.c ++++ b/src/libbson/src/bson/bson.c +@@ -324,7 +324,18 @@ _bson_append_va (bson_t *bson, /* IN */ + + buf = _bson_data (bson) + bson->len - 1; + ++ /* Track running sum of bytes written in a uint64_t to detect possible overflow of `n_bytes`. */ ++ uint64_t n_bytes_sum = 0; + do { ++ // Size of any individual data being appended should not exceed the total byte limit. ++ if (BSON_UNLIKELY (bson_cmp_less_uu (n_bytes, data_len))) { ++ return false; ++ } ++ // Total size of data being appended should not exceed the total byte limit. ++ if (BSON_UNLIKELY (bson_cmp_greater_uu (n_bytes_sum, n_bytes - data_len))) { ++ return false; ++ } ++ n_bytes_sum += data_len; + n_pairs--; + /* data may be NULL if data_len is 0. memcpy is not safe to call with + * NULL. */ +-- +2.39.5 + diff -Nru mongo-c-driver-1.23.1/debian/patches/series mongo-c-driver-1.23.1/debian/patches/series --- mongo-c-driver-1.23.1/debian/patches/series 1969-12-31 19:00:00.000000000 -0500 +++ mongo-c-driver-1.23.1/debian/patches/series 2025-04-18 16:28:00.000000000 -0400 @@ -0,0 +1,4 @@ +CVE-2023-0437.patch +CVE-2024-6381.patch +CVE-2024-6383.patch +CVE-2025-0755.patch
