------------------------------------------------------------------------- Debian LTS Advisory DLA-4160-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Roberto C. Sánchez May 09, 2025 https://wiki.debian.org/LTS ------------------------------------------------------------------------- Package : libbson-xs-perl Version : 0.8.4-1+deb11u1 CVE ID : CVE-2017-14227 CVE-2018-16790 CVE-2023-0437 CVE-2024-6381 CVE-2024-6383 CVE-2025-0755 Several vulnerabilities have been found in libbson-xs-perl, the Perl XS implementation of MongoDB's BSON serialization. CVE-2017-14227 The bson_iter_codewscope function in bson-iter.c miscalculates a bson_utf8_validate length argument, which allows remote attackers to cause a denial of service (heap-based buffer over-read in the bson_utf8_validate function in bson-utf8.c), as demonstrated by bson-to-json.c. CVE-2018-16790 _bson_iter_next_internal has a heap-based buffer over-read via a crafted bson buffer. CVE-2023-0437 When calling bson_utf8_validate on some inputs a loop with an exit condition that cannot be reached may occur, i.e. an infinite loop. CVE-2024-6381 The bson_strfreev function in the MongoDB C driver library may be susceptible to an integer overflow where the function will try to free memory at a negative offset. This may result in memory corruption. CVE-2024-6383 The bson_string_append function in MongoDB C Driver may be vulnerable to a buffer overflow where the function might attempt to allocate too small of buffer and may lead to memory corruption of neighbouring heap memory. CVE-2025-0755 The various bson_append functions in the MongoDB C driver library may be susceptible to buffer overflow when performing operations that could result in a final BSON document which exceeds the maximum allowable size (INT32_MAX), resulting in a segmentation fault and possible application crash. For Debian 11 bullseye, these problems have been fixed in version 0.8.4-1+deb11u1. We recommend that you upgrade your libbson-xs-perl packages. For the detailed security status of libbson-xs-perl please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libbson-xs-perl Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS
Attachment:
signature.asc
Description: PGP signature