mongodb: CVE-2015-1609 in squeeze

To: mongodb@packages.debian.org
Cc: debian-lts@lists.debian.org
Subject: mongodb: CVE-2015-1609 in squeeze
From: Guido Günther <agx@sigxcpu.org>
Date: Sat, 30 May 2015 16:02:42 +0200
Message-id: <[🔎] 20150530140242.GA22869@bogon.m.sigxcpu.org>
Mail-followup-to: Guido Günther <agx@sigxcpu.org>, mongodb@packages.debian.org, debian-lts@lists.debian.org

Hi,
from what I can see the squeeze version of mongodb is not affected by
the above CVE since

 void BSONElement::validate() const {
        switch( type() ) {
        case DBRef:
        case Code:
        case Symbol:
        case String: {
            int x = valuestrsize();
            if ( x > 0 && valuestr()[x-1] == 0 )
                return;
            StringBuilder buf;
            buf <<  "Invalid dbref/code/string/symbol size: " << x << " strnlen:" << strnlen( valuestr() , x );
            massert( 10321 , buf.str() , 0 );
            break;
        }

already checks that the string has a length greater than zero so I
marked the CVE as not requiring further action in squeeze but it would
be great to have an additional pair of eyes more familiar with the
codebase double check. Does this look correct?

Cheers,
 -- Guido

Reply to:

Prev by Date: Re: squeeze update of libapache-mod-jk?
Next by Date: Re: squeeze update of fuse?
Previous by thread: Re: Regression in clamav-daemon
Index(es):
- Date
- Thread