Package: release.debian.org Severity: normal Tags: bookworm User: [email protected] Usertags: pu X-Debbugs-Cc: [email protected] Control: affects -1 + src:libbson-xs-perl
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 [ Reason ] Fix an assortment of <no-dsa> CVEs. [ Impact ] Without this update some memory corruption and application crash vulnerabilities will remain unresolved. [ Tests ] The patches are cherry-picks of the relevant upstream commits, with some minor tweaks required during backporting to the older libbson code embedded in this package. The upstream commits have passed through extensive CI upstream and they have been available to users for between 6 months and 7 years (via upstream releases of mongo-c-driver and/or libbson, which include the fixes and the correspondending packages in Debian unstable/testing). [ Risks ] The risks are low. The 6 patches themselves in aggregate have the following extent: 4 files changed, 43 insertions(+), 13 deletions(-) Additionally, 4 of the 6 patches have been recently re-examined as part of backporting them to mongo-c-driver/1.23.1-1+deb12u1. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [*] the issue is verified as fixed in unstable * libbson-xs-perl is removed from unstable, so this is N/A [ Changes ] CVE-2017-14227: Check for zero string length (cherry-picked, ignoring test-specific changes and accounting for whitespace differences) CVE-2018-16790: Verify bounds before binary length read (cherry-picked, ignoring test-specific changes and accounting for whitespace differences) CVE-2023-0437: change type of loop indices to guard against overflow (cherry-picked with no changes required) CVE-2024-6381: iterate over a NULL-terminated string using a pointer (checking for the NULL to know when to stop) rather than an integer index (cherry-picked with no non-whitespace changes required) CVE-2024-6383: keep track of allocated string size during allocation and append operations to guard against buffer overflow and memory corruption (backported with adjustments to whitespace and for using primitives for bounds checking, rather than convenience macros introduced in later upstream versions) CVE-2025-0755: keep track of allocated string size during append operations to guard against buffer overflow and memory corruption (cherry-picked with adjustments for using primitives for bounds checking, rather than convenience macros introduced in later upstream versions) [ Other info ] No further information. -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEIYZ1DR4ae5UL01q7ldFmTdL1kUIFAmgX6J8ACgkQldFmTdL1 kULYexAAwiMGM2IczF09ImPUzjFVs6YTVhLvPNLsPSnmhhXK1GYpFEVU0UD8r0JM avh4n+664MpJ5ft229CS1nJfFpE9/W9nyuwHW13LuGo51fB0iszoomWGmef0d70S WqTH5bUKDcaXSP0t6vzL8mC213DWlU41FKcbLYXz/ujLRz24J7WdT0+joJHqyFvB JC4gzJBZMmoAPqSn4ZfakDpRvHynUVxyCwM9r9PO4GuRd7KRrOCTZivz/6gy9xR7 Rf/zD+6GI3Yr56FH4Rxy6yt5Ff4BPXjgWpaCTusNaZZYUHMq/G9jqUzWlYDgtxHw Mye3xYhfbLWy4jGLLFdY0RP4kFH5ifl2lGoJvUQ1H6pLXVaVuvBWoMHjEKxLX1af FXFeAGaNOC/bf9atsRIxYXMIPa/aD7jSFbG0cAsrlFqmu3NU1NrUx2l+ebMpENk2 GxSJm+yud8n9W5auw1zEkoLBr+DQntwdNNa6IoEuln0SaWKXwiZCsyuzhBR6hdkk amXmi2QX1xvz5dncWh7PBEkvoUEjlWp7YFXLaEpaEPFgxykHlkY9rAKTLK0MFuTm 55roVXQ041RryjDiqtCdiTBOwZVi8IZg4PgEurcDE7FH26XsL46c8+RojrBf2VoY mEEuV8R1fvud3TpZvhPkuGDUl61fUVkWjn7qrrSgmpudqD9K2oA= =H6xS -----END PGP SIGNATURE-----
diff -Nru libbson-xs-perl-0.8.4/debian/changelog libbson-xs-perl-0.8.4/debian/changelog --- libbson-xs-perl-0.8.4/debian/changelog 2022-11-19 15:12:44.000000000 -0500 +++ libbson-xs-perl-0.8.4/debian/changelog 2025-05-03 16:43:49.000000000 -0400 @@ -1,3 +1,33 @@ +libbson-xs-perl (0.8.4-2+deb12u1) bookworm; urgency=medium + + * Non-maintainer upload. + * Fix security issues in embedded copy of libbson: + + CVE-2017-14227: the bson_iter_codewscope function in bson-iter.c + miscalculates a bson_utf8_validate length argument, which allows remote + attackers to cause a denial of service (heap-based buffer over-read in the + bson_utf8_validate function in bson-utf8.c), as demonstrated by + bson-to-json.c. + + CVE-2018-16790: _bson_iter_next_internal has a heap-based buffer over-read + via a crafted bson buffer. + + CVE-2023-0437: When calling bson_utf8_validate on some inputs a loop + with an exit condition that cannot be reached may occur, i.e. an infinite + loop. + + CVE-2024-6381: The bson_strfreev function in the MongoDB C driver + library may be susceptible to an integer overflow where the function will + try to free memory at a negative offset. This may result in memory + corruption. + + CVE-2024-6383: The bson_string_append function in MongoDB C Driver may + be vulnerable to a buffer overflow where the function might attempt to + allocate too small of buffer and may lead to memory corruption of + neighbouring heap memory. + + CVE-2025-0755: The various bson_append functions in the MongoDB C + driver library may be susceptible to buffer overflow when performing + operations that could result in a final BSON document which exceeds the + maximum allowable size (INT32_MAX), resulting in a segmentation fault and + possible application crash. + + -- Roberto C. Sánchez <[email protected]> Sat, 03 May 2025 16:43:49 -0400 + libbson-xs-perl (0.8.4-2) unstable; urgency=medium [ Yadd ] diff -Nru libbson-xs-perl-0.8.4/debian/gbp.conf libbson-xs-perl-0.8.4/debian/gbp.conf --- libbson-xs-perl-0.8.4/debian/gbp.conf 2022-11-19 15:12:44.000000000 -0500 +++ libbson-xs-perl-0.8.4/debian/gbp.conf 2025-05-03 16:43:49.000000000 -0400 @@ -1,5 +1,6 @@ [DEFAULT] pristine-tar = True +debian-branch = debian/bookworm [import-orig] filter = [ '.gitignore', '.travis.yml', '.git*' ] diff -Nru libbson-xs-perl-0.8.4/debian/patches/CVE-2017-14227.patch libbson-xs-perl-0.8.4/debian/patches/CVE-2017-14227.patch --- libbson-xs-perl-0.8.4/debian/patches/CVE-2017-14227.patch 1969-12-31 19:00:00.000000000 -0500 +++ libbson-xs-perl-0.8.4/debian/patches/CVE-2017-14227.patch 2025-05-03 16:43:49.000000000 -0400 @@ -0,0 +1,36 @@ +From 42900956dc461dfe7fb91d93361d10737c1602b3 Mon Sep 17 00:00:00 2001 +From: Kevin Albertson <[email protected]> +Date: Fri, 8 Sep 2017 10:47:10 -0400 +Subject: [PATCH] CDRIVER-2269 Check for zero string length in codewscope + +Origin: backport, https://github.com/mongodb/libbson/commit/42900956dc461dfe7fb91d93361d10737c1602b3 +--- + src/bson/bson-iter.c | 35 +++++++++++---------- + tests/binary/cdriver2269.bson | Bin 0 -> 28 bytes + bson/bson-iter.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + create mode 100644 tests/binary/cdriver2269.bson + +--- a/bson/bson-iter.c ++++ b/bson/bson-iter.c +@@ -671,7 +671,7 @@ + memcpy (&l, iter->raw + iter->d2, sizeof (l)); + l = BSON_UINT32_FROM_LE (l); + +- if (l >= (len - o - 4 - 4)) { ++ if (l == 0 || l >= (len - o - 4 - 4)) { + iter->err_off = o; + goto mark_invalid; + } +@@ -1312,7 +1312,10 @@ + if (ITER_TYPE (iter) == BSON_TYPE_CODEWSCOPE) { + if (length) { + memcpy (&len, iter->raw + iter->d2, sizeof (len)); +- *length = BSON_UINT32_FROM_LE (len) - 1; ++ /* The string length was checked > 0 in _bson_iter_next_internal. */ ++ len = BSON_UINT32_FROM_LE (len); ++ BSON_ASSERT (len > 0); ++ *length = len - 1; + } + + memcpy (&len, iter->raw + iter->d4, sizeof (len)); diff -Nru libbson-xs-perl-0.8.4/debian/patches/CVE-2018-16790.patch libbson-xs-perl-0.8.4/debian/patches/CVE-2018-16790.patch --- libbson-xs-perl-0.8.4/debian/patches/CVE-2018-16790.patch 1969-12-31 19:00:00.000000000 -0500 +++ libbson-xs-perl-0.8.4/debian/patches/CVE-2018-16790.patch 2025-05-03 16:43:49.000000000 -0400 @@ -0,0 +1,36 @@ +From 0d9a4d98bfdf4acd2c0138d4aaeb4e2e0934bd84 Mon Sep 17 00:00:00 2001 +From: Scott Gayou <[email protected]> +Date: Fri, 14 Sep 2018 11:55:11 -0500 +Subject: [PATCH] Fix for CVE-2018-16790 -- Verify bounds before binary length + read. + +As reported here: https://jira.mongodb.org/browse/CDRIVER-2819, +a heap overread occurs due a failure to correctly verify data +bounds. + +In the original check, len - o returns the data left including the +sizeof(l) we just read. Instead, the comparison should check +against the data left NOT including the binary int32, i.e. just +subtype (byte*) instead of int32 subtype (byte*). + +Added in test for corrupted BSON example. + +Origin: backport, https://github.com/mongodb/mongo-c-driver/commit/0d9a4d98bfdf4acd2c0138d4aaeb4e2e0934bd84 +--- + src/libbson/src/bson/bson-iter.c | 2 +- + src/libbson/tests/binary/test59.bson | Bin 0 -> 17 bytes + bson/bson-iter.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + create mode 100644 src/libbson/tests/binary/test59.bson + +--- a/bson/bson-iter.c ++++ b/bson/bson-iter.c +@@ -526,7 +526,7 @@ + memcpy (&l, iter->raw + iter->d1, sizeof (l)); + l = BSON_UINT32_FROM_LE (l); + +- if (l >= (len - o)) { ++ if (l >= (len - o - 4)) { + iter->err_off = o; + goto mark_invalid; + } diff -Nru libbson-xs-perl-0.8.4/debian/patches/CVE-2023-0437.patch libbson-xs-perl-0.8.4/debian/patches/CVE-2023-0437.patch --- libbson-xs-perl-0.8.4/debian/patches/CVE-2023-0437.patch 1969-12-31 19:00:00.000000000 -0500 +++ libbson-xs-perl-0.8.4/debian/patches/CVE-2023-0437.patch 2025-05-03 16:43:49.000000000 -0400 @@ -0,0 +1,29 @@ +From fd3a978b35cac8f3c78c4d9a1b08fd5aa4d440b8 Mon Sep 17 00:00:00 2001 +From: Kevin Albertson <[email protected]> +Date: Mon, 30 Oct 2023 18:01:30 +0000 +Subject: [PATCH] CDRIVER-4747 use `size_t` consistently in + `bson_utf8_validate` (#1458) + +Origin: https://github.com/mongodb/mongo-c-driver/commit/fd3a978b35cac8f3c78c4d9a1b08fd5aa4d440b8 +--- + src/libbson/src/bson/bson-utf8.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/bson/bson-utf8.c b/bson/bson-utf8.c +index d7e9168c96..ac7a1bddfe 100644 +--- a/bson/bson-utf8.c ++++ b/bson/bson-utf8.c +@@ -118,8 +118,8 @@ bson_utf8_validate (const char *utf8, /* IN */ + bson_unichar_t c; + uint8_t first_mask; + uint8_t seq_length; +- unsigned i; +- unsigned j; ++ size_t i; ++ size_t j; + + BSON_ASSERT (utf8); + +-- +2.39.5 + diff -Nru libbson-xs-perl-0.8.4/debian/patches/CVE-2024-6381.patch libbson-xs-perl-0.8.4/debian/patches/CVE-2024-6381.patch --- libbson-xs-perl-0.8.4/debian/patches/CVE-2024-6381.patch 1969-12-31 19:00:00.000000000 -0500 +++ libbson-xs-perl-0.8.4/debian/patches/CVE-2024-6381.patch 2025-05-03 16:43:49.000000000 -0400 @@ -0,0 +1,29 @@ +From effd95c34ad421df94eec7c69236f0e4172552d0 Mon Sep 17 00:00:00 2001 +From: Ezra Chung <[email protected]> +Date: Fri, 8 Mar 2024 13:09:07 -0600 +Subject: [PATCH] CDRIVER-5504 Use pointer-based iteration when traversing + array elements (#1552) + +Origin: https://github.com/mongodb/mongo-c-driver/commit/effd95c34ad421df94eec7c69236f0e4172552d0 +--- + bson/bson-string.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/bson/bson-string.c ++++ b/bson/bson-string.c +@@ -491,11 +491,11 @@ + void + bson_strfreev (char **str) /* IN */ + { +- int i; +- + if (str) { +- for (i = 0; str [i]; i++) +- bson_free (str [i]); ++ for (char **ptr = str; *ptr != NULL; ++ptr) { ++ bson_free (*ptr); ++ } ++ + bson_free (str); + } + } diff -Nru libbson-xs-perl-0.8.4/debian/patches/CVE-2024-6383.patch libbson-xs-perl-0.8.4/debian/patches/CVE-2024-6383.patch --- libbson-xs-perl-0.8.4/debian/patches/CVE-2024-6383.patch 1969-12-31 19:00:00.000000000 -0500 +++ libbson-xs-perl-0.8.4/debian/patches/CVE-2024-6383.patch 2025-05-03 16:43:49.000000000 -0400 @@ -0,0 +1,68 @@ +From 7c34461863211be172e6317221d72e4429bed45e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Roberto=20C=2E=20S=C3=A1nchez?= <[email protected]> +Date: Fri, 3 May 2024 15:30:45 -0400 +Subject: [PATCH] CDRIVER-5552 more robust string handling (#1593) + +Co-authored-by: Kevin Albertson <[email protected]> + +Origin: https://github.com/mongodb/mongo-c-driver/commit/7c34461863211be172e6317221d72e4429bed45e +--- + bson/bson-string.c | 24 ++++++++++++++++++++---- + 1 file changed, 20 insertions(+), 4 deletions(-) + +--- a/bson/bson-string.c ++++ b/bson/bson-string.c +@@ -57,16 +57,25 @@ + bson_string_new (const char *str) /* IN */ + { + bson_string_t *ret; ++ size_t len_sz; + + ret = bson_malloc0 (sizeof *ret); +- ret->len = str ? (int)strlen (str) : 0; ++ if (str) { ++ len_sz = strlen (str); ++ BSON_ASSERT (len_sz <= UINT32_MAX); ++ ret->len = (uint32_t) len_sz; ++ } else { ++ ret->len = 0; ++ } + ret->alloc = ret->len + 1; + + if (!bson_is_power_of_two (ret->alloc)) { +- ret->alloc = (uint32_t)bson_next_power_of_two ((size_t)ret->alloc); ++ len_sz = bson_next_power_of_two ((size_t) ret->alloc); ++ BSON_ASSERT (len_sz <= UINT32_MAX); ++ ret->alloc = (uint32_t) len_sz; + } + +- BSON_ASSERT (ret->alloc >= 1); ++ BSON_ASSERT (ret->alloc >= ret->len + 1); + + ret->str = bson_malloc (ret->alloc); + +@@ -142,16 +151,23 @@ + const char *str) /* IN */ + { + uint32_t len; ++ size_t len_sz; + + BSON_ASSERT (string); + BSON_ASSERT (str); + + len = (uint32_t)strlen (str); ++ len_sz = strlen (str); ++ BSON_ASSERT (len_sz <= UINT32_MAX); ++ len = (uint32_t) len_sz; + + if ((string->alloc - string->len - 1) < len) { ++ BSON_ASSERT (string->alloc <= UINT32_MAX - len); + string->alloc += len; + if (!bson_is_power_of_two (string->alloc)) { +- string->alloc = (uint32_t)bson_next_power_of_two ((size_t)string->alloc); ++ len_sz = bson_next_power_of_two ((size_t) string->alloc); ++ BSON_ASSERT (len_sz <= UINT32_MAX); ++ string->alloc = (uint32_t) len_sz; + } + string->str = bson_realloc (string->str, string->alloc); + } diff -Nru libbson-xs-perl-0.8.4/debian/patches/CVE-2025-0755.patch libbson-xs-perl-0.8.4/debian/patches/CVE-2025-0755.patch --- libbson-xs-perl-0.8.4/debian/patches/CVE-2025-0755.patch 1969-12-31 19:00:00.000000000 -0500 +++ libbson-xs-perl-0.8.4/debian/patches/CVE-2025-0755.patch 2025-05-03 16:43:49.000000000 -0400 @@ -0,0 +1,34 @@ +From d3cdb626be30748b9360451023c75438ec346a38 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Roberto=20C=2E=20S=C3=A1nchez?= <[email protected]> +Date: Tue, 16 Jul 2024 16:15:16 -0400 +Subject: [PATCH] CDRIVER-5601 more robust bson append (#1648) + +Co-authored-by: Kevin Albertson <[email protected]> +Co-authored-by: Ezra Chung <[email protected]> + +Origin: https://github.com/mongodb/mongo-c-driver/commit/d3cdb626be30748b9360451023c75438ec346a38 +--- + bson/bson.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/bson/bson.c ++++ b/bson/bson.c +@@ -321,7 +321,18 @@ + + buf = _bson_data (bson) + bson->len - 1; + ++ /* Track running sum of bytes written in a uint64_t to detect possible overflow of `n_bytes`. */ ++ uint64_t n_bytes_sum = 0; + do { ++ // Size of any individual data being appended should not exceed the total byte limit. ++ if (BSON_UNLIKELY (n_bytes < data_len)) { ++ return false; ++ } ++ // Total size of data being appended should not exceed the total byte limit. ++ if (BSON_UNLIKELY (n_bytes_sum > n_bytes - data_len)) { ++ return false; ++ } ++ n_bytes_sum += data_len; + n_pairs--; + memcpy (buf, data, data_len); + bson->len += data_len; diff -Nru libbson-xs-perl-0.8.4/debian/patches/series libbson-xs-perl-0.8.4/debian/patches/series --- libbson-xs-perl-0.8.4/debian/patches/series 1969-12-31 19:00:00.000000000 -0500 +++ libbson-xs-perl-0.8.4/debian/patches/series 2025-05-03 16:43:49.000000000 -0400 @@ -0,0 +1,6 @@ +CVE-2017-14227.patch +CVE-2018-16790.patch +CVE-2023-0437.patch +CVE-2024-6381.patch +CVE-2024-6383.patch +CVE-2025-0755.patch
