Package: release.debian.org Severity: normal Tags: bookworm User: [email protected] Usertags: pu
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 [ Reason ] This update fixes CVE-2025-12119: mongoc_bulk_operation_t may read invalid memory if large options are passed [ Impact ] Users and applications integrating mongo-c-driver components may be vulnerable to a potential security issue. [ Tests ] The affected/changed code went through multiple upstream code reviews. Also, accompanying unit tests were implemented and executed in upstream's extensive CI environment. [ Risks ] Code changes are small and low risk. There are no work arounds. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] Backport upstream patch from https://github.com/mongodb/mongo-c-driver/commit/27419bebfa8c0772e220592c86cf700b1ce2995d (only trivial changes were required, to account for small changes in the context lines in two instances) [ Other info ] N/A -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEIYZ1DR4ae5UL01q7ldFmTdL1kUIFAmlEeVEACgkQldFmTdL1 kUL3fBAAilVG0crjIEToojbCN9qslCiWljgNe0YmMuNwX1yEiAv/NZn70D2tItGB yeb+gbg5vJv/wALtQE53IocleCmEjNCjCa2RKmjgLZUFHUai7iSLjues/3OBFZyl Ph5yK2haxQccM5oY8XR/Qlh5/qlrBJbIEBp7mTcSQpHu/LfZ7Os5etjzhdj5s220 wPT2j8fs0Z4RxLsTYc1QV9Y5HgmLiYWUDx2f9HFcmGAl3P6rshIoWDVuQpIOP70k ynrx4v5Pu/GurgieVJee7nLRh9J607yBl8wPEPHihOcJD/CAQ3v8Iojgw+Lj4NOA 7hr8Z4kVzPdObSi7jF/gJzOz5NLc1BHnjdHp2+8+RQgEHje5Ysq2uq2e9NuedE3A YXN5+DQK6+iYbhlgLFSMHfLulx/mQ/DxHhrc9PRIlX5LRBFItL3UYvuhfAFzVnNw lOn1JokbMaHvlsJl8Z1usUIeTIkNhxm0UWn6MOtDvhthOHeRw5W2OKkx5GSQbDmn rzijrG4utrHsBWdeVbT8HJ25pYS2Ou+6R6DVp+0pZmJFGSRSYOTQ0cM1CkJn7rJw 57v12LM44X3gOICdhXUHjiLoNBFMmk6wAZRs0cHmQtP0FSIQ6mFSZAbK2oC/GA5z akqkEUCJmkEpF3zAcs1HhWy3o0/n7g5gcapDOywnhDBRsqTRLg4= =M4ze -----END PGP SIGNATURE-----
diff -Nru mongo-c-driver-1.23.1/debian/changelog mongo-c-driver-1.23.1/debian/changelog --- mongo-c-driver-1.23.1/debian/changelog 2025-04-18 16:28:00.000000000 -0400 +++ mongo-c-driver-1.23.1/debian/changelog 2025-12-18 15:54:33.000000000 -0500 @@ -1,3 +1,10 @@ +mongo-c-driver (1.23.1-1+deb12u2) bookworm; urgency=medium + + * Fix CVE-2025-12119: mongoc_bulk_operation_t may read invalid memory if + large options are passed. + + -- Roberto C. Sanchez <[email protected]> Thu, 18 Dec 2025 15:54:33 -0500 + mongo-c-driver (1.23.1-1+deb12u1) bookworm; urgency=medium * Fix CVE-2023-0437: When calling bson_utf8_validate on some inputs a loop diff -Nru mongo-c-driver-1.23.1/debian/patches/CVE-2025-12119.patch mongo-c-driver-1.23.1/debian/patches/CVE-2025-12119.patch --- mongo-c-driver-1.23.1/debian/patches/CVE-2025-12119.patch 1969-12-31 19:00:00.000000000 -0500 +++ mongo-c-driver-1.23.1/debian/patches/CVE-2025-12119.patch 2025-12-18 15:54:33.000000000 -0500 @@ -0,0 +1,151 @@ +From 27419bebfa8c0772e220592c86cf700b1ce2995d Mon Sep 17 00:00:00 2001 +From: Kevin Albertson <[email protected]> +Date: Mon, 6 Oct 2025 11:38:22 -0400 +Subject: [PATCH] CDRIVER-6112 fix ownership transfer of + `mongoc_write_command_t` (#2132) (#2137) + +* add regression test +* do not memcpy `bson_t` struct in array + * `memcpy` does not correctly transfer ownership of `bson_t`. Instead: heap allocate `bson_t`. +* warn against using `bson_t` in `mongoc_array_t` +--- + src/libmongoc/src/mongoc/mongoc-array-private.h | 3 + src/libmongoc/src/mongoc/mongoc-write-command-private.h | 2 + src/libmongoc/src/mongoc/mongoc-write-command.c | 10 +- + src/libmongoc/tests/test-mongoc-bulk.c | 56 ++++++++++++++++ + 4 files changed, 65 insertions(+), 6 deletions(-) + +--- a/src/libmongoc/src/mongoc/mongoc-array-private.h ++++ b/src/libmongoc/src/mongoc/mongoc-array-private.h +@@ -25,6 +25,9 @@ + BSON_BEGIN_DECLS + + ++// mongoc_array_t stores an array of objects of type T. ++// ++// T must be trivially relocatable. In particular, `bson_t` is not trivially relocatable (CDRIVER-6113). + typedef struct _mongoc_array_t mongoc_array_t; + + +--- a/src/libmongoc/src/mongoc/mongoc-write-command-private.h ++++ b/src/libmongoc/src/mongoc/mongoc-write-command-private.h +@@ -61,7 +61,7 @@ + uint32_t n_documents; + mongoc_bulk_write_flags_t flags; + int64_t operation_id; +- bson_t cmd_opts; ++ bson_t *cmd_opts; + } mongoc_write_command_t; + + +--- a/src/libmongoc/src/mongoc/mongoc-write-command.c ++++ b/src/libmongoc/src/mongoc/mongoc-write-command.c +@@ -183,9 +183,9 @@ + command->flags = flags; + command->operation_id = operation_id; + if (!bson_empty0 (opts)) { +- bson_copy_to (opts, &command->cmd_opts); ++ command->cmd_opts = bson_copy (opts); + } else { +- bson_init (&command->cmd_opts); ++ command->cmd_opts = bson_new (); + } + + _mongoc_buffer_init (&command->payload, NULL, 0, NULL, NULL); +@@ -501,7 +501,7 @@ + ? MONGOC_CMD_PARTS_ALLOW_TXN_NUMBER_NO + : MONGOC_CMD_PARTS_ALLOW_TXN_NUMBER_YES; + +- BSON_ASSERT (bson_iter_init (&iter, &command->cmd_opts)); ++ BSON_ASSERT (bson_iter_init (&iter, command->cmd_opts)); + if (!mongoc_cmd_parts_append_opts ( + &parts, &iter, server_stream->sd->max_wire_version, error)) { + bson_destroy (&cmd); +@@ -724,7 +724,7 @@ + ret = mongoc_cmd_parts_set_write_concern ( + parts, write_concern, server_stream->sd->max_wire_version, error); + if (ret) { +- BSON_ASSERT (bson_iter_init (&iter, &command->cmd_opts)); ++ BSON_ASSERT (bson_iter_init (&iter, command->cmd_opts)); + ret = mongoc_cmd_parts_append_opts ( + parts, &iter, server_stream->sd->max_wire_version, error); + } +@@ -1095,7 +1095,7 @@ + ENTRY; + + if (command) { +- bson_destroy (&command->cmd_opts); ++ bson_destroy (command->cmd_opts); + _mongoc_buffer_destroy (&command->payload); + } + +--- a/src/libmongoc/tests/test-mongoc-bulk.c ++++ b/src/libmongoc/tests/test-mongoc-bulk.c +@@ -4934,6 +4934,55 @@ + } + + ++// `test_bulk_big_let` tests a bulk operation with a large let document to reproduce CDRIVER-6112: ++static void ++test_bulk_big_let (void *unused) ++{ ++ BSON_UNUSED (unused); ++ ++ mongoc_client_t *client = test_framework_new_default_client (); ++ mongoc_collection_t *coll = get_test_collection (client, "test_big_let"); ++ bson_error_t error; ++ ++ // Create bulk operation similar to PHP driver: ++ mongoc_bulk_operation_t *bulk = mongoc_bulk_operation_new (true /* ordered */); ++ ++ // Set a large `let`: { "testDocument": { "a": "aaa..." } } ++ { ++ bson_t let = BSON_INITIALIZER, testDocument; ++ bson_append_document_begin (&let, "testDocument", -1, &testDocument); ++ ++ // Append big string: ++ { ++ size_t num_chars = 79; ++ char *big_string = bson_malloc0 (num_chars + 1); ++ memset (big_string, 'a', num_chars); ++ BSON_APPEND_UTF8 (&testDocument, "a", big_string); ++ bson_free (big_string); ++ } ++ ++ bson_append_document_end (&let, &testDocument); ++ mongoc_bulk_operation_set_let (bulk, &let); ++ bson_destroy (&let); ++ } ++ ++ ++ mongoc_bulk_operation_set_client (bulk, client); ++ mongoc_bulk_operation_set_database (bulk, "db"); ++ mongoc_bulk_operation_set_collection (bulk, "coll"); ++ ++ mongoc_bulk_operation_update ( ++ bulk, tmp_bson ("{'_id': 1}"), tmp_bson ("{'$set': {'document': '$$testDocument'}}"), true); ++ ++ ++ ASSERT_OR_PRINT (mongoc_bulk_operation_execute (bulk, NULL, &error), error); ++ ++ mongoc_bulk_operation_destroy (bulk); ++ mongoc_collection_destroy (coll); ++ mongoc_client_destroy (client); ++} ++ ++ + void + test_bulk_install (TestSuite *suite) + { +@@ -5230,4 +5279,11 @@ + suite, "/BulkOperation/opts/let", test_bulk_let); + TestSuite_AddMockServerTest ( + suite, "/BulkOperation/opts/let/multi", test_bulk_let_multi); ++ TestSuite_AddFull ( ++ suite, ++ "/BulkOperation/big_let", ++ test_bulk_big_let, ++ NULL, ++ NULL, ++ test_framework_skip_if_max_wire_version_less_than_13 /* 5.0+ for 'let' support in CRUD commands */); + } diff -Nru mongo-c-driver-1.23.1/debian/patches/series mongo-c-driver-1.23.1/debian/patches/series --- mongo-c-driver-1.23.1/debian/patches/series 2025-04-18 16:28:00.000000000 -0400 +++ mongo-c-driver-1.23.1/debian/patches/series 2025-12-18 15:54:33.000000000 -0500 @@ -2,3 +2,4 @@ CVE-2024-6381.patch CVE-2024-6383.patch CVE-2025-0755.patch +CVE-2025-12119.patch
