Bug#850931: jessie-pu: package mongodb/1:2.4.10-5

[Adam D. Barratt]

Control: tags -1 + pending

On Mon, 2017-01-30 at 11:28 +0200, Apollon Oikonomopoulos wrote:
> On 16:36 Sat 28 Jan , Adam D. Barratt wrote:
> > Control: tags -1 + confirmed
> > 
> > On Wed, 2017-01-11 at 12:46 +0200, Apollon Oikonomopoulos wrote:
> > >  - CVE-2016-6494[1] is fixed by backporting the patch already applied to 
> > >2.6 (once in sid).
> > > 
> > >  - TEMP-0833087-C5410D[2] is fixed by reimplementing upstream's fix for 
> > >2.6[3] using the infrastructure available in MongoDB 2.4.  
> > >Unfortunately the mutable BSON infrastructure used in 2.6 is 
> > >incomplete and unusable in 2.4. I benchmarked my own version and 
> > >found no measurable performance impact.
> > 
> > Please go ahead.
> > 
> > fwiw:
> > 
> > +This fixes TEMP-0833087-C5410D and closes #833087.
> > 
> > The Security Team have previously requested that TEMP-* identifiers not
> > be used in changelogs at least; I'm not sure how far that extends to
> > things like patch headers.
> 
> Uploaded with the following interdiff:

Flagged for acceptance.

Regards,

Adam

Bug#850931: jessie-pu: package mongodb/1:2.4.10-5

[Apollon Oikonomopoulos]

On 16:36 Sat 28 Jan , Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On Wed, 2017-01-11 at 12:46 +0200, Apollon Oikonomopoulos wrote:
> >  - CVE-2016-6494[1] is fixed by backporting the patch already applied to 
> >2.6 (once in sid).
> > 
> >  - TEMP-0833087-C5410D[2] is fixed by reimplementing upstream's fix for 
> >2.6[3] using the infrastructure available in MongoDB 2.4.  
> >Unfortunately the mutable BSON infrastructure used in 2.6 is 
> >incomplete and unusable in 2.4. I benchmarked my own version and 
> >found no measurable performance impact.
> 
> Please go ahead.
> 
> fwiw:
> 
> +This fixes TEMP-0833087-C5410D and closes #833087.
> 
> The Security Team have previously requested that TEMP-* identifiers not
> be used in changelogs at least; I'm not sure how far that extends to
> things like patch headers.

Uploaded with the following interdiff:

diff -u 
mongodb-2.4.10/debian/patches/Redact-key-and-nonce-from-auth-attempt-logs.patch 
mongodb-2.4.10/debian/patches/Redact-key-and-nonce-f
--- 
mongodb-2.4.10/debian/patches/Redact-key-and-nonce-from-auth-attempt-logs.patch 
2017-01-11 11:17:09.0 +0200
+++ 
mongodb-2.4.10/debian/patches/Redact-key-and-nonce-from-auth-attempt-logs.patch 
2017-01-11 11:17:56.0 +0200
@@ -1,9 +1,8 @@
 From 1d44ca172befd6ad6d3a6cb410ddf7a0e31b6f81 Mon Sep 17 00:00:00 2001
 From: Apollon Oikonomopoulos 
 Date: Tue, 10 Jan 2017 17:39:57 +0200
+Bug-Debian: #833087
 Subject: [PATCH] Redact key and nonce from auth attempt logs
-
-This fixes TEMP-0833087-C5410D and closes #833087.
 ---
  src/mongo/db/commands/authentication_commands.cpp | 17 -
  1 file changed, 16 insertions(+), 1 deletion(-)

Regards,
Apollon

Bug#850931: jessie-pu: package mongodb/1:2.4.10-5

[Adam D. Barratt]

Control: tags -1 + confirmed

On Wed, 2017-01-11 at 12:46 +0200, Apollon Oikonomopoulos wrote:
>  - CVE-2016-6494[1] is fixed by backporting the patch already applied to 
>2.6 (once in sid).
> 
>  - TEMP-0833087-C5410D[2] is fixed by reimplementing upstream's fix for 
>2.6[3] using the infrastructure available in MongoDB 2.4.  
>Unfortunately the mutable BSON infrastructure used in 2.6 is 
>incomplete and unusable in 2.4. I benchmarked my own version and 
>found no measurable performance impact.

Please go ahead.

fwiw:

+This fixes TEMP-0833087-C5410D and closes #833087.

The Security Team have previously requested that TEMP-* identifiers not
be used in changelogs at least; I'm not sure how far that extends to
things like patch headers.

Regards,

Adam

Bug#850931: jessie-pu: package mongodb/1:2.4.10-5

[Apollon Oikonomopoulos]

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Dear SRMs,

I would like to update MongoDB in stable to fix two low-impact security 
issues:

 - CVE-2016-6494[1] is fixed by backporting the patch already applied to 
   2.6 (once in sid).

 - TEMP-0833087-C5410D[2] is fixed by reimplementing upstream's fix for 
   2.6[3] using the infrastructure available in MongoDB 2.4.  
   Unfortunately the mutable BSON infrastructure used in 2.6 is 
   incomplete and unusable in 2.4. I benchmarked my own version and 
   found no measurable performance impact.

Full source debdiff attached.

Regards,
Apollon

[1] https://security-tracker.debian.org/tracker/CVE-2016-6494
[2] https://security-tracker.debian.org/tracker/TEMP-0833087-C5410D
[3] 
https://github.com/mongodb/mongo/commit/f85ceb17b37210eef71e8113162c41368bfd5c12
diff -Nru mongodb-2.4.10/debian/changelog mongodb-2.4.10/debian/changelog
--- mongodb-2.4.10/debian/changelog	2015-03-09 23:25:16.0 +0200
+++ mongodb-2.4.10/debian/changelog	2017-01-11 11:17:56.0 +0200
@@ -1,3 +1,10 @@
+mongodb (1:2.4.10-5+deb8u1) jessie; urgency=medium
+
+  * Redact key and nonce from auth attempt logs (Closes: #833087)
+  * Backport patch for CVE-2016-6494 from 2.6 (Closes: #832908)
+
+ -- Apollon Oikonomopoulos   Wed, 11 Jan 2017 11:17:56 +0200
+
 mongodb (1:2.4.10-5) unstable; urgency=high
 
   * Use upstream backported fix for CVE-2015-1609 (closes: #780129).
diff -Nru mongodb-2.4.10/debian/patches/CVE-2016-6494.patch mongodb-2.4.10/debian/patches/CVE-2016-6494.patch
--- mongodb-2.4.10/debian/patches/CVE-2016-6494.patch	1970-01-01 02:00:00.0 +0200
+++ mongodb-2.4.10/debian/patches/CVE-2016-6494.patch	2017-01-11 11:17:09.0 +0200
@@ -0,0 +1,39 @@
+Description: prevent group and other access on .dbshell
+ Use umask on file creation and chmod on existing file load.
+Forwarded: no
+Bug-Debian: https://bugs.debian.org/832908
+Author: Laszlo Boszormenyi (GCS) 
+Last-Update: 2016-08-04
+
+---
+
+--- mongodb-2.4.10.orig/src/mongo/shell/linenoise.cpp
 mongodb-2.4.10/src/mongo/shell/linenoise.cpp
+@@ -103,6 +103,7 @@
+ #include 
+ #include 
+ #include 
++#include 
+ #include 
+ #include 
+ #include 
+@@ -2626,7 +2627,10 @@ int linenoiseHistorySetMaxLen( int len )
+ /* Save the history in the specified file. On success 0 is returned
+  * otherwise -1 is returned. */
+ int linenoiseHistorySave( const char* filename ) {
++mode_t old_umask;
++old_umask = umask(S_IRWXG | S_IRWXO);
+ FILE* fp = fopen( filename, "wt" );
++umask(old_umask);
+ if ( fp == NULL ) {
+ return -1;
+ }
+@@ -2651,6 +2655,8 @@ int linenoiseHistoryLoad( const char* fi
+ return -1;
+ }
+ 
++chmod(filename, 00600);
++
+ char buf[LINENOISE_MAX_LINE];
+ while ( fgets( buf, LINENOISE_MAX_LINE, fp ) != NULL ) {
+ char* p = strchr( buf, '\r' );
diff -Nru mongodb-2.4.10/debian/patches/Redact-key-and-nonce-from-auth-attempt-logs.patch mongodb-2.4.10/debian/patches/Redact-key-and-nonce-from-auth-attempt-logs.patch
--- mongodb-2.4.10/debian/patches/Redact-key-and-nonce-from-auth-attempt-logs.patch	1970-01-01 02:00:00.0 +0200
+++ mongodb-2.4.10/debian/patches/Redact-key-and-nonce-from-auth-attempt-logs.patch	2017-01-11 11:17:09.0 +0200
@@ -0,0 +1,42 @@
+From 1d44ca172befd6ad6d3a6cb410ddf7a0e31b6f81 Mon Sep 17 00:00:00 2001
+From: Apollon Oikonomopoulos 
+Date: Tue, 10 Jan 2017 17:39:57 +0200
+Subject: [PATCH] Redact key and nonce from auth attempt logs
+
+This fixes TEMP-0833087-C5410D and closes #833087.
+---
+ src/mongo/db/commands/authentication_commands.cpp | 17 -
+ 1 file changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/src/mongo/db/commands/authentication_commands.cpp b/src/mongo/db/commands/authentication_commands.cpp
+index bcc5a2f..538e9a0 100644
+--- a/src/mongo/db/commands/authentication_commands.cpp
 b/src/mongo/db/commands/authentication_commands.cpp
+@@ -93,8 +93,23 @@ namespace mongo {
+ } cmdGetNonce;
+ 
+ bool CmdAuthenticate::run(const string& dbname , BSONObj& cmdObj, int, string& errmsg, BSONObjBuilder& result, bool fromRepl) {
++// Debian #833087: redact key and nonce from authentication attempts
++BSONObjBuilder cmdToLog;
++BSONObjIterator it = cmdObj.begin();
++const StringData kKey = "key";
++const StringData kNonce = "nonce";
++
++while (it.more()) {
++BSONElement e = it.next();
++const char *fname = e.fieldName();
++if (fname == kKey || fname == kNonce) {
++cmdToLog.append(fname, "xxx");
++} else {
++cmdToLog.append(e);
++}
++}
+ 
+-log() << " authenticate db: " << dbname << " " << cmdObj << endl;
++log() << " authenticate db: " << dbname << " " << cmdToLog.obj() << endl;
+ 
+