Package: release.debian.org Severity: normal Tags: trixie User: [email protected] Usertags: pu
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 [ Reason ] This update fixes CVE-2025-12119: mongoc_bulk_operation_t may read invalid memory if large options are passed [ Impact ] Users and applications integrating mongo-c-driver components may be vulnerable to a potential security issue. [ Tests ] The affected/changed code went through multiple upstream code reviews. Also, accompanying unit tests were implemented and executed in upstream's extensive CI environment. [ Risks ] Code changes are small and low risk. There are no work arounds. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] Backport upstream patch from https://github.com/mongodb/mongo-c-driver/commit/27419bebfa8c0772e220592c86cf700b1ce2995d (no changes required for backporting) [ Other info ] N/A -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEIYZ1DR4ae5UL01q7ldFmTdL1kUIFAmlEeN4ACgkQldFmTdL1 kUKK8xAAr7jhJ9PLzUQ1CryKr2gzigM51U0pqCdmIvZJQM0eKI8bP6snIoj/qcWA HXt0BuEHJxAhLpsEbenimKgyCjoted45hEoccdjhnHGkAWdusBF0Lbab6c6Qt76m 2gBms9S1rEE4Q9ONZS4UCdU40aqC0BxVJkGtDKZT3TYqscvlhsNX9EvrZbOsmM9y zThRlzHFbsrvpbfXzodIQQISlni9NOoAmF4L06M1bRwd4OB9GiAOl1c3xRXU1N3R kRM6Rk/X7L/6RMTmIdOmo9fI9czTiT/D0hI9y6VUY2L7lxfIGBEDuhGV5JqLVZWl Z4Z9u4B91l3Vyg3tl4DSo3jyleScgrUrhqV7A6Spdkd3RXOxZXJ0oL+jXNGPsMOw C8/OdZDWxoPi4Hzyp1dgCursdSHfc5pOmTxqB9eFVfSDXB+k3jOhZGZRDyzlUcHw Ld1QPfp3rz8SL2XE8LcLbtXQtOmG0r5X+Lk3fuNd+BdgGhDB+0aG6ZCyR9VzRckY TUQ1nGJb5p32EYn0ZBfsUczDgfqIKQI0chhOBDwB6Q+MLdjQgbTY+0veMRE5bkRD S/zFr2qb9sM04C2JIfRqSYjOofBXp+rnyQjtiCBSHt8D9QAWl1ev/pDU4t/CHRAP Sxbn+un66jDhQPoCMJ/ixYiN1boz48j8Tr3n1iLASncy1/BOiN8= =tZpt -----END PGP SIGNATURE-----
diff -Nru mongo-c-driver-1.30.4/debian/changelog mongo-c-driver-1.30.4/debian/changelog --- mongo-c-driver-1.30.4/debian/changelog 2025-05-07 15:11:43.000000000 -0400 +++ mongo-c-driver-1.30.4/debian/changelog 2025-12-18 14:50:07.000000000 -0500 @@ -1,3 +1,10 @@ +mongo-c-driver (1.30.4-1+deb13u1) trixie; urgency=medium + + * Fix CVE-2025-12119: mongoc_bulk_operation_t may read invalid memory if + large options are passed. + + -- Roberto C. Sanchez <[email protected]> Thu, 18 Dec 2025 14:50:07 -0500 + mongo-c-driver (1.30.4-1) unstable; urgency=medium * New upstream release diff -Nru mongo-c-driver-1.30.4/debian/gbp.conf mongo-c-driver-1.30.4/debian/gbp.conf --- mongo-c-driver-1.30.4/debian/gbp.conf 2025-05-07 15:11:43.000000000 -0400 +++ mongo-c-driver-1.30.4/debian/gbp.conf 2025-12-18 14:50:07.000000000 -0500 @@ -14,9 +14,9 @@ utf8proc_rm_files=\"$(find src/utf8proc-* -printf '%p ')\" && # Create upstream tarball from reference, exclude items that do not belong pushd $GBP_GIT_DIR/.. && - git archive --format=tar --prefix=mongo-c-driver-\${upstream_version}/ HEAD | tar -f - --delete mongo-c-driver-\${upstream_version}/debian \$zlib_filter_files \$utf8proc_filter_files | gzip > $GBP_BUILD_DIR/../mongo-c-driver_\${upstream_version}.orig.tar.gz && + ( [ -f $GBP_BUILD_DIR/../mongo-c-driver_\${upstream_version}.orig.tar.gz ] || git archive --format=tar --prefix=mongo-c-driver-\${upstream_version}/ HEAD | tar -f - --delete mongo-c-driver-\${upstream_version}/debian \$zlib_filter_files \$utf8proc_filter_files | gzip > $GBP_BUILD_DIR/../mongo-c-driver_\${upstream_version}.orig.tar.gz ) && popd && rm -rf \$zlib_rm_files \$utf8proc_rm_files" upstream-tag = %(version)s -debian-branch = debian/unstable +debian-branch = debian/trixie diff -Nru mongo-c-driver-1.30.4/debian/patches/CVE-2025-12119.patch mongo-c-driver-1.30.4/debian/patches/CVE-2025-12119.patch --- mongo-c-driver-1.30.4/debian/patches/CVE-2025-12119.patch 1969-12-31 19:00:00.000000000 -0500 +++ mongo-c-driver-1.30.4/debian/patches/CVE-2025-12119.patch 2025-12-18 14:50:07.000000000 -0500 @@ -0,0 +1,153 @@ +From 27419bebfa8c0772e220592c86cf700b1ce2995d Mon Sep 17 00:00:00 2001 +From: Kevin Albertson <[email protected]> +Date: Mon, 6 Oct 2025 11:38:22 -0400 +Subject: [PATCH] CDRIVER-6112 fix ownership transfer of + `mongoc_write_command_t` (#2132) (#2137) + +* add regression test +* do not memcpy `bson_t` struct in array + * `memcpy` does not correctly transfer ownership of `bson_t`. Instead: heap allocate `bson_t`. +* warn against using `bson_t` in `mongoc_array_t` +--- + .../src/mongoc/mongoc-array-private.h | 3 + + .../src/mongoc/mongoc-write-command-private.h | 2 +- + .../src/mongoc/mongoc-write-command.c | 8 +-- + src/libmongoc/tests/test-mongoc-bulk.c | 56 +++++++++++++++++++ + 4 files changed, 64 insertions(+), 5 deletions(-) + +diff --git a/src/libmongoc/src/mongoc/mongoc-array-private.h b/src/libmongoc/src/mongoc/mongoc-array-private.h +index 9956224b34..c8de6f1f52 100644 +--- a/src/libmongoc/src/mongoc/mongoc-array-private.h ++++ b/src/libmongoc/src/mongoc/mongoc-array-private.h +@@ -25,6 +25,9 @@ + BSON_BEGIN_DECLS + + ++// mongoc_array_t stores an array of objects of type T. ++// ++// T must be trivially relocatable. In particular, `bson_t` is not trivially relocatable (CDRIVER-6113). + typedef struct _mongoc_array_t mongoc_array_t; + + +diff --git a/src/libmongoc/src/mongoc/mongoc-write-command-private.h b/src/libmongoc/src/mongoc/mongoc-write-command-private.h +index 85121594e0..c1bf751e01 100644 +--- a/src/libmongoc/src/mongoc/mongoc-write-command-private.h ++++ b/src/libmongoc/src/mongoc/mongoc-write-command-private.h +@@ -61,7 +61,7 @@ typedef struct { + uint32_t n_documents; + mongoc_bulk_write_flags_t flags; + int64_t operation_id; +- bson_t cmd_opts; ++ bson_t *cmd_opts; + } mongoc_write_command_t; + + +diff --git a/src/libmongoc/src/mongoc/mongoc-write-command.c b/src/libmongoc/src/mongoc/mongoc-write-command.c +index a375d8f200..36f2470acb 100644 +--- a/src/libmongoc/src/mongoc/mongoc-write-command.c ++++ b/src/libmongoc/src/mongoc/mongoc-write-command.c +@@ -143,9 +143,9 @@ _mongoc_write_command_init_bulk ( + command->flags = flags; + command->operation_id = operation_id; + if (!bson_empty0 (opts)) { +- bson_copy_to (opts, &command->cmd_opts); ++ command->cmd_opts = bson_copy (opts); + } else { +- bson_init (&command->cmd_opts); ++ command->cmd_opts = bson_new (); + } + + _mongoc_buffer_init (&command->payload, NULL, 0, NULL, NULL); +@@ -671,7 +671,7 @@ _mongoc_write_opmsg (mongoc_write_command_t *command, + ? MONGOC_CMD_PARTS_ALLOW_TXN_NUMBER_NO + : MONGOC_CMD_PARTS_ALLOW_TXN_NUMBER_YES; + +- BSON_ASSERT (bson_iter_init (&iter, &command->cmd_opts)); ++ BSON_ASSERT (bson_iter_init (&iter, command->cmd_opts)); + if (!mongoc_cmd_parts_append_opts (&parts, &iter, error)) { + bson_destroy (&cmd); + mongoc_cmd_parts_cleanup (&parts); +@@ -944,7 +944,7 @@ _mongoc_write_command_destroy (mongoc_write_command_t *command) + ENTRY; + + if (command) { +- bson_destroy (&command->cmd_opts); ++ bson_destroy (command->cmd_opts); + _mongoc_buffer_destroy (&command->payload); + } + +diff --git a/src/libmongoc/tests/test-mongoc-bulk.c b/src/libmongoc/tests/test-mongoc-bulk.c +index 357893ce1c..e4666c1db3 100644 +--- a/src/libmongoc/tests/test-mongoc-bulk.c ++++ b/src/libmongoc/tests/test-mongoc-bulk.c +@@ -4768,6 +4768,55 @@ test_bulk_write_set_client_updates_operation_id_when_client_changes (void) + mock_server_destroy (mock_server); + } + ++// `test_bulk_big_let` tests a bulk operation with a large let document to reproduce CDRIVER-6112: ++static void ++test_bulk_big_let (void *unused) ++{ ++ BSON_UNUSED (unused); ++ ++ mongoc_client_t *client = test_framework_new_default_client (); ++ mongoc_collection_t *coll = get_test_collection (client, "test_big_let"); ++ bson_error_t error; ++ ++ // Create bulk operation similar to PHP driver: ++ mongoc_bulk_operation_t *bulk = mongoc_bulk_operation_new (true /* ordered */); ++ ++ // Set a large `let`: { "testDocument": { "a": "aaa..." } } ++ { ++ bson_t let = BSON_INITIALIZER, testDocument; ++ bson_append_document_begin (&let, "testDocument", -1, &testDocument); ++ ++ // Append big string: ++ { ++ size_t num_chars = 79; ++ char *big_string = bson_malloc0 (num_chars + 1); ++ memset (big_string, 'a', num_chars); ++ BSON_APPEND_UTF8 (&testDocument, "a", big_string); ++ bson_free (big_string); ++ } ++ ++ bson_append_document_end (&let, &testDocument); ++ mongoc_bulk_operation_set_let (bulk, &let); ++ bson_destroy (&let); ++ } ++ ++ ++ mongoc_bulk_operation_set_client (bulk, client); ++ mongoc_bulk_operation_set_database (bulk, "db"); ++ mongoc_bulk_operation_set_collection (bulk, "coll"); ++ ++ mongoc_bulk_operation_update ( ++ bulk, tmp_bson ("{'_id': 1}"), tmp_bson ("{'$set': {'document': '$$testDocument'}}"), true); ++ ++ ++ ASSERT_OR_PRINT (mongoc_bulk_operation_execute (bulk, NULL, &error), error); ++ ++ mongoc_bulk_operation_destroy (bulk); ++ mongoc_collection_destroy (coll); ++ mongoc_client_destroy (client); ++} ++ ++ + void + test_bulk_install (TestSuite *suite) + { +@@ -4946,4 +4995,11 @@ test_bulk_install (TestSuite *suite) + TestSuite_AddMockServerTest (suite, + "/BulkOperation/set_client_updates_operation_id_when_client_changes", + test_bulk_write_set_client_updates_operation_id_when_client_changes); ++ TestSuite_AddFull ( ++ suite, ++ "/BulkOperation/big_let", ++ test_bulk_big_let, ++ NULL, ++ NULL, ++ test_framework_skip_if_max_wire_version_less_than_13 /* 5.0+ for 'let' support in CRUD commands */); + } +-- +2.39.5 + diff -Nru mongo-c-driver-1.30.4/debian/patches/series mongo-c-driver-1.30.4/debian/patches/series --- mongo-c-driver-1.30.4/debian/patches/series 2025-05-07 15:11:43.000000000 -0400 +++ mongo-c-driver-1.30.4/debian/patches/series 2025-12-18 14:50:07.000000000 -0500 @@ -1 +1,2 @@ 0001_local_mathjax.diff +CVE-2025-12119.patch
