Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu
Dear SRMs,
I would like to update MongoDB in stable to fix two low-impact security
issues:
- CVE-2016-6494[1] is fixed by backporting the patch already applied to
2.6 (once in sid).
- TEMP-0833087-C5410D[2] is fixed by reimplementing upstream's fix for
2.6[3] using the infrastructure available in MongoDB 2.4.
Unfortunately the mutable BSON infrastructure used in 2.6 is
incomplete and unusable in 2.4. I benchmarked my own version and
found no measurable performance impact.
Full source debdiff attached.
Regards,
Apollon
[1] https://security-tracker.debian.org/tracker/CVE-2016-6494
[2] https://security-tracker.debian.org/tracker/TEMP-0833087-C5410D
[3]
https://github.com/mongodb/mongo/commit/f85ceb17b37210eef71e8113162c41368bfd5c12
diff -Nru mongodb-2.4.10/debian/changelog mongodb-2.4.10/debian/changelog
--- mongodb-2.4.10/debian/changelog 2015-03-09 23:25:16.0 +0200
+++ mongodb-2.4.10/debian/changelog 2017-01-11 11:17:56.0 +0200
@@ -1,3 +1,10 @@
+mongodb (1:2.4.10-5+deb8u1) jessie; urgency=medium
+
+ * Redact key and nonce from auth attempt logs (Closes: #833087)
+ * Backport patch for CVE-2016-6494 from 2.6 (Closes: #832908)
+
+ -- Apollon Oikonomopoulos Wed, 11 Jan 2017 11:17:56 +0200
+
mongodb (1:2.4.10-5) unstable; urgency=high
* Use upstream backported fix for CVE-2015-1609 (closes: #780129).
diff -Nru mongodb-2.4.10/debian/patches/CVE-2016-6494.patch mongodb-2.4.10/debian/patches/CVE-2016-6494.patch
--- mongodb-2.4.10/debian/patches/CVE-2016-6494.patch 1970-01-01 02:00:00.0 +0200
+++ mongodb-2.4.10/debian/patches/CVE-2016-6494.patch 2017-01-11 11:17:09.0 +0200
@@ -0,0 +1,39 @@
+Description: prevent group and other access on .dbshell
+ Use umask on file creation and chmod on existing file load.
+Forwarded: no
+Bug-Debian: https://bugs.debian.org/832908
+Author: Laszlo Boszormenyi (GCS)
+Last-Update: 2016-08-04
+
+---
+
+--- mongodb-2.4.10.orig/src/mongo/shell/linenoise.cpp
mongodb-2.4.10/src/mongo/shell/linenoise.cpp
+@@ -103,6 +103,7 @@
+ #include
+ #include
+ #include
++#include
+ #include
+ #include
+ #include
+@@ -2626,7 +2627,10 @@ int linenoiseHistorySetMaxLen( int len )
+ /* Save the history in the specified file. On success 0 is returned
+ * otherwise -1 is returned. */
+ int linenoiseHistorySave( const char* filename ) {
++mode_t old_umask;
++old_umask = umask(S_IRWXG | S_IRWXO);
+ FILE* fp = fopen( filename, "wt" );
++umask(old_umask);
+ if ( fp == NULL ) {
+ return -1;
+ }
+@@ -2651,6 +2655,8 @@ int linenoiseHistoryLoad( const char* fi
+ return -1;
+ }
+
++chmod(filename, 00600);
++
+ char buf[LINENOISE_MAX_LINE];
+ while ( fgets( buf, LINENOISE_MAX_LINE, fp ) != NULL ) {
+ char* p = strchr( buf, '\r' );
diff -Nru mongodb-2.4.10/debian/patches/Redact-key-and-nonce-from-auth-attempt-logs.patch mongodb-2.4.10/debian/patches/Redact-key-and-nonce-from-auth-attempt-logs.patch
--- mongodb-2.4.10/debian/patches/Redact-key-and-nonce-from-auth-attempt-logs.patch 1970-01-01 02:00:00.0 +0200
+++ mongodb-2.4.10/debian/patches/Redact-key-and-nonce-from-auth-attempt-logs.patch 2017-01-11 11:17:09.0 +0200
@@ -0,0 +1,42 @@
+From 1d44ca172befd6ad6d3a6cb410ddf7a0e31b6f81 Mon Sep 17 00:00:00 2001
+From: Apollon Oikonomopoulos
+Date: Tue, 10 Jan 2017 17:39:57 +0200
+Subject: [PATCH] Redact key and nonce from auth attempt logs
+
+This fixes TEMP-0833087-C5410D and closes #833087.
+---
+ src/mongo/db/commands/authentication_commands.cpp | 17 -
+ 1 file changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/src/mongo/db/commands/authentication_commands.cpp b/src/mongo/db/commands/authentication_commands.cpp
+index bcc5a2f..538e9a0 100644
+--- a/src/mongo/db/commands/authentication_commands.cpp
b/src/mongo/db/commands/authentication_commands.cpp
+@@ -93,8 +93,23 @@ namespace mongo {
+ } cmdGetNonce;
+
+ bool CmdAuthenticate::run(const string& dbname , BSONObj& cmdObj, int, string& errmsg, BSONObjBuilder& result, bool fromRepl) {
++// Debian #833087: redact key and nonce from authentication attempts
++BSONObjBuilder cmdToLog;
++BSONObjIterator it = cmdObj.begin();
++const StringData kKey = "key";
++const StringData kNonce = "nonce";
++
++while (it.more()) {
++BSONElement e = it.next();
++const char *fname = e.fieldName();
++if (fname == kKey || fname == kNonce) {
++cmdToLog.append(fname, "xxx");
++} else {
++cmdToLog.append(e);
++}
++}
+
+-log() << " authenticate db: " << dbname << " " << cmdObj << endl;
++log() << " authenticate db: " << dbname << " " << cmdToLog.obj() << endl;
+
+