Bug#704053: unblock: mongodb/2.0.6-1.1
Package: release.debian.org
Severity: normal
Tags: patch
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package mongodb for t-p-u
Upstream has fixed a critical remote vulnerability, see
CVE-2013-1892 [1]. I have extracted the patches to fix the issue
from upstream and uploaded 2.0.6-1.1 into t-p-u since there
is already a newer upstream version of mongodb in unstable.
Attaching the debdiff for 2.0.6-1.1.
unblock mongodb/2.0.6-1.1
Cheers,
Adrian
> [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=704042
-- System Information:
Debian Release: 7.0
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.8-trunk-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
diff -Nru mongodb-2.0.6/debian/changelog mongodb-2.0.6/debian/changelog
--- mongodb-2.0.6/debian/changelog 2012-06-05 19:53:16.000000000 +0200
+++ mongodb-2.0.6/debian/changelog 2013-03-27 13:08:29.000000000 +0100
@@ -1,3 +1,11 @@
+mongodb (1:2.0.6-1.1) testing-proposed-updates; urgency=high
+
+ * Non-maintainer upload.
+ * Include patch to address remote vulnerability
+ CVE-2013-1895 (Closes: #704042).
+
+ -- John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de> Wed, 27 Mar 2013 13:08:10 +0100
+
mongodb (1:2.0.6-1) unstable; urgency=low
* New upstream release 2.0.6
diff -Nru mongodb-2.0.6/debian/patches/0004-CVE-2013-1892-part1.patch mongodb-2.0.6/debian/patches/0004-CVE-2013-1892-part1.patch
--- mongodb-2.0.6/debian/patches/0004-CVE-2013-1892-part1.patch 1970-01-01 01:00:00.000000000 +0100
+++ mongodb-2.0.6/debian/patches/0004-CVE-2013-1892-part1.patch 2013-03-27 12:59:01.000000000 +0100
@@ -0,0 +1,172 @@
+From 3c5c12f7d57ba1e44250d3e1734885a5cafaf8e2 Mon Sep 17 00:00:00 2001
+From: Dan Pasette <dan@10gen.com>
+Date: Tue, 26 Mar 2013 16:52:39 -0400
+Subject: [PATCH] SERVER-9124: Avoid raw pointers for SM's nativeHelper
+
+---
+ scripting/engine_spidermonkey.cpp | 116 +++++++++++++++++++++++++------------
+ 1 file changed, 78 insertions(+), 38 deletions(-)
+
+diff --git a/scripting/engine_spidermonkey.cpp b/scripting/engine_spidermonkey.cpp
+index 64fe21c..e857b90 100644
+--- a/scripting/engine_spidermonkey.cpp
++++ b/scripting/engine_spidermonkey.cpp
+@@ -47,6 +47,9 @@ namespace mongo {
+ }
+ };
+
++ typedef std::map<long long, NativeFunction> FunctionMap;
++ typedef std::map<long long, void*> ArgumentMap;
++
+ string trim( string s ) {
+ while ( s.size() && isspace( s[0] ) )
+ s = s.substr( 1 );
+@@ -997,43 +1000,8 @@ namespace mongo {
+ return JS_TRUE;
+ }
+
+- JSBool native_helper( JSContext *cx , JSObject *obj , uintN argc, jsval *argv , jsval *rval ) {
+- Convertor c(cx);
+-
+- NativeFunction func = (NativeFunction)((long long)c.getNumber( obj , "x" ) );
+- void* data = (void*)((long long)c.getNumber( obj , "y" ) );
+- assert( func );
+-
+- BSONObj a;
+- if ( argc > 0 ) {
+- BSONObjBuilder args;
+- for ( uintN i=0; i<argc; i++ ) {
+- c.append( args , args.numStr( i ) , argv[i] );
+- }
+-
+- a = args.obj();
+- }
+-
+- BSONObj out;
+- try {
+- out = func( a, data );
+- }
+- catch ( std::exception& e ) {
+- JS_ReportError( cx , e.what() );
+- return JS_FALSE;
+- }
+-
+- if ( out.isEmpty() ) {
+- *rval = JSVAL_VOID;
+- }
+- else {
+- *rval = c.toval( out.firstElement() );
+- }
+-
+- return JS_TRUE;
+- }
+-
+ JSBool native_load( JSContext *cx , JSObject *obj , uintN argc, jsval *argv , jsval *rval );
++ JSBool native_helper( JSContext *cx , JSObject *obj , uintN argc, jsval *argv , jsval *rval );
+
+ JSBool native_gc( JSContext *cx , JSObject *obj , uintN argc, jsval *argv , jsval *rval ) {
+ JS_GC( cx );
+@@ -1611,11 +1579,17 @@ namespace mongo {
+ void injectNative( const char *field, NativeFunction func, void* data ) {
+ smlock;
+ string name = field;
+- _convertor->setProperty( _global , (name + "_").c_str() , _convertor->toval( (double)(long long)func ) );
++ long long funcId = static_cast<long long>(_functionMap.size());
++ _functionMap.insert(make_pair(funcId, func));
++ jsval v = _convertor->toval(funcId);
++ _convertor->setProperty(_global, (name + "_").c_str(), v);
+
+ stringstream code;
+ if (data) {
+- _convertor->setProperty( _global , (name + "_data_").c_str() , _convertor->toval( (double)(long long)data ) );
++ long long argsId = static_cast<long long>(_argumentMap.size());
++ _argumentMap.insert(make_pair(argsId, data));
++ v = _convertor->toval(argsId);
++ _convertor->setProperty(_global, (name + "_data_").c_str(), v);
+ code << field << "_" << " = { x : " << field << "_ , y: " << field << "_data_ }; ";
+ } else {
+ code << field << "_" << " = { x : " << field << "_ }; ";
+@@ -1631,6 +1605,10 @@ namespace mongo {
+
+ JSContext *SavedContext() const { return _context; }
+
++ // map from internal function id to function pointer
++ FunctionMap _functionMap;
++ // map from internal function argument id to function pointer
++ ArgumentMap _argumentMap;
+ private:
+
+ void _postCreateHacks() {
+@@ -1696,7 +1674,69 @@ namespace mongo {
+ return JS_TRUE;
+ }
+
++ JSBool native_helper( JSContext *cx , JSObject *obj , uintN argc, jsval *argv , jsval *rval ) {
++ try {
++ Convertor c(cx);
++
++ // get function pointer from JS caller's argument property 'x'
++ massert(16735, "nativeHelper argument requires object with 'x' property",
++ c.hasProperty(obj, "x"));
++ FunctionMap::iterator funcIter =
++ currentScope->_functionMap.find(static_cast<long long>(c.getNumber(obj, "x")));
++ massert(16734, "JavaScript function not in map",
++ funcIter != currentScope->_functionMap.end());
++ NativeFunction func = funcIter->second;
++ assert(func);
++
++ // get data pointer from JS caller's argument property 'y'
++ void* data = NULL;
++ if (c.hasProperty(obj, "y")) {
++ ArgumentMap::iterator argIter = currentScope->_argumentMap.find(
++ static_cast<long long>(c.getNumber(obj, "y")));
++ massert(16736, "nativeHelper 'y' parameter must be in the argumentMap",
++ argIter != currentScope->_argumentMap.end());
++ data = argIter->second;
++ }
++
++ BSONObj a;
++ if ( argc > 0 ) {
++ BSONObjBuilder args;
++ for ( uintN i = 0; i < argc; ++i ) {
++ c.append( args , args.numStr( i ) , argv[i] );
++ }
++ a = args.obj();
++ }
++
++ BSONObj out;
++ try {
++ out = func( a, data );
++ }
++ catch ( std::exception& e ) {
++ if ( ! JS_IsExceptionPending( cx ) ) {
++ JS_ReportError( cx, e.what() );
++ }
++ return JS_FALSE;
++ }
+
++ if ( out.isEmpty() ) {
++ *rval = JSVAL_VOID;
++ }
++ else {
++ *rval = c.toval( out.firstElement() );
++ }
++ }
++ catch ( const AssertionException& e ) {
++ if ( ! JS_IsExceptionPending( cx ) ) {
++ JS_ReportError( cx, e.what() );
++ }
++ return JS_FALSE;
++ }
++ catch ( const std::exception& e ) {
++ log() << "unhandled exception: " << e.what() << ", throwing Fatal Assertion" << endl;
++ verifyFailed( 16281 );
++ }
++ return JS_TRUE;
++ }
+
+ void SMEngine::runTest() {
+ SMScope s;
+--
+1.7.10.4
+
diff -Nru mongodb-2.0.6/debian/patches/0005-CVE-2013-1892-part2.patch mongodb-2.0.6/debian/patches/0005-CVE-2013-1892-part2.patch
--- mongodb-2.0.6/debian/patches/0005-CVE-2013-1892-part2.patch 1970-01-01 01:00:00.000000000 +0100
+++ mongodb-2.0.6/debian/patches/0005-CVE-2013-1892-part2.patch 2013-03-27 12:59:25.000000000 +0100
@@ -0,0 +1,34 @@
+From bb999bb5032346e4391d80225b1532bc43df9446 Mon Sep 17 00:00:00 2001
+From: Ben Becker <ben.becker@10gen.com>
+Date: Tue, 26 Mar 2013 18:33:20 -0700
+Subject: [PATCH] SERVER-9124: cast id to double before converting to JS
+
+---
+ scripting/engine_spidermonkey.cpp | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/scripting/engine_spidermonkey.cpp b/scripting/engine_spidermonkey.cpp
+index e857b90..e409e6f 100644
+--- a/scripting/engine_spidermonkey.cpp
++++ b/scripting/engine_spidermonkey.cpp
+@@ -1581,14 +1581,14 @@ namespace mongo {
+ string name = field;
+ long long funcId = static_cast<long long>(_functionMap.size());
+ _functionMap.insert(make_pair(funcId, func));
+- jsval v = _convertor->toval(funcId);
++ jsval v = _convertor->toval((static_cast<double>(funcId)));
+ _convertor->setProperty(_global, (name + "_").c_str(), v);
+-
+ stringstream code;
++
+ if (data) {
+ long long argsId = static_cast<long long>(_argumentMap.size());
+ _argumentMap.insert(make_pair(argsId, data));
+- v = _convertor->toval(argsId);
++ v = _convertor->toval(static_cast<double>(argsId));
+ _convertor->setProperty(_global, (name + "_data_").c_str(), v);
+ code << field << "_" << " = { x : " << field << "_ , y: " << field << "_data_ }; ";
+ } else {
+--
+1.7.10.4
+
diff -Nru mongodb-2.0.6/debian/patches/series mongodb-2.0.6/debian/patches/series
--- mongodb-2.0.6/debian/patches/series 2012-06-05 19:53:16.000000000 +0200
+++ mongodb-2.0.6/debian/patches/series 2013-03-27 13:05:12.000000000 +0100
@@ -1,3 +1,5 @@
0001-install-libs-to-usr-lib-not-usr-lib64-Closes-588557.patch
0002-Ignore-unused-but-set-variables-and-params-Closes-62.patch
0003-use-system-wide-pcre.patch
+0004-CVE-2013-1892-part1.patch
+0005-CVE-2013-1892-part2.patch
Reply to: