[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#704053: marked as done (unblock: mongodb/2.0.6-1.1)

Your message dated Wed, 27 Mar 2013 19:24:11 +0000
with message-id <1364412251.22071.7.camel@jacala.jungle.funky-badger.org>
and subject line Re: Bug#704053: unblock: mongodb/2.0.6-1.1
has caused the Debian Bug report #704053,
regarding unblock: mongodb/2.0.6-1.1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
704053: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=704053
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: patch
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package mongodb for t-p-u

Upstream has fixed a critical remote vulnerability, see
CVE-2013-1892 [1]. I have extracted the patches to fix the issue
from upstream and uploaded 2.0.6-1.1 into t-p-u since there
is already a newer upstream version of mongodb in unstable.

Attaching the debdiff for 2.0.6-1.1.

unblock mongodb/2.0.6-1.1

Cheers,

Adrian

> [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=704042

-- System Information:
Debian Release: 7.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.8-trunk-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash

diff -Nru mongodb-2.0.6/debian/changelog mongodb-2.0.6/debian/changelog
--- mongodb-2.0.6/debian/changelog	2012-06-05 19:53:16.000000000 +0200
+++ mongodb-2.0.6/debian/changelog	2013-03-27 13:08:29.000000000 +0100
@@ -1,3 +1,11 @@
+mongodb (1:2.0.6-1.1) testing-proposed-updates; urgency=high
+
+  * Non-maintainer upload.
+  * Include patch to address remote vulnerability
+    CVE-2013-1895 (Closes: #704042).
+
+ -- John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>  Wed, 27 Mar 2013 13:08:10 +0100
+
 mongodb (1:2.0.6-1) unstable; urgency=low
 
   * New upstream release 2.0.6
diff -Nru mongodb-2.0.6/debian/patches/0004-CVE-2013-1892-part1.patch mongodb-2.0.6/debian/patches/0004-CVE-2013-1892-part1.patch
--- mongodb-2.0.6/debian/patches/0004-CVE-2013-1892-part1.patch	1970-01-01 01:00:00.000000000 +0100
+++ mongodb-2.0.6/debian/patches/0004-CVE-2013-1892-part1.patch	2013-03-27 12:59:01.000000000 +0100
@@ -0,0 +1,172 @@
+From 3c5c12f7d57ba1e44250d3e1734885a5cafaf8e2 Mon Sep 17 00:00:00 2001
+From: Dan Pasette <dan@10gen.com>
+Date: Tue, 26 Mar 2013 16:52:39 -0400
+Subject: [PATCH] SERVER-9124: Avoid raw pointers for SM's nativeHelper
+
+---
+ scripting/engine_spidermonkey.cpp |  116 +++++++++++++++++++++++++------------
+ 1 file changed, 78 insertions(+), 38 deletions(-)
+
+diff --git a/scripting/engine_spidermonkey.cpp b/scripting/engine_spidermonkey.cpp
+index 64fe21c..e857b90 100644
+--- a/scripting/engine_spidermonkey.cpp
++++ b/scripting/engine_spidermonkey.cpp
+@@ -47,6 +47,9 @@ namespace mongo {
+         }
+     };
+ 
++    typedef std::map<long long, NativeFunction> FunctionMap;
++    typedef std::map<long long, void*> ArgumentMap;
++
+     string trim( string s ) {
+         while ( s.size() && isspace( s[0] ) )
+             s = s.substr( 1 );
+@@ -997,43 +1000,8 @@ namespace mongo {
+         return JS_TRUE;
+     }
+ 
+-    JSBool native_helper( JSContext *cx , JSObject *obj , uintN argc, jsval *argv , jsval *rval ) {
+-        Convertor c(cx);
+-
+-        NativeFunction func = (NativeFunction)((long long)c.getNumber( obj , "x" ) );
+-        void* data = (void*)((long long)c.getNumber( obj , "y" ) );
+-        assert( func );
+-
+-        BSONObj a;
+-        if ( argc > 0 ) {
+-            BSONObjBuilder args;
+-            for ( uintN i=0; i<argc; i++ ) {
+-                c.append( args , args.numStr( i ) , argv[i] );
+-            }
+-
+-            a = args.obj();
+-        }
+-
+-        BSONObj out;
+-        try {
+-            out = func( a, data );
+-        }
+-        catch ( std::exception& e ) {
+-            JS_ReportError( cx , e.what() );
+-            return JS_FALSE;
+-        }
+-
+-        if ( out.isEmpty() ) {
+-            *rval = JSVAL_VOID;
+-        }
+-        else {
+-            *rval = c.toval( out.firstElement() );
+-        }
+-
+-        return JS_TRUE;
+-    }
+-
+     JSBool native_load( JSContext *cx , JSObject *obj , uintN argc, jsval *argv , jsval *rval );
++    JSBool native_helper( JSContext *cx , JSObject *obj , uintN argc, jsval *argv , jsval *rval );
+ 
+     JSBool native_gc( JSContext *cx , JSObject *obj , uintN argc, jsval *argv , jsval *rval ) {
+         JS_GC( cx );
+@@ -1611,11 +1579,17 @@ namespace mongo {
+         void injectNative( const char *field, NativeFunction func, void* data ) {
+             smlock;
+             string name = field;
+-            _convertor->setProperty( _global , (name + "_").c_str() , _convertor->toval( (double)(long long)func ) );
++            long long funcId = static_cast<long long>(_functionMap.size());
++            _functionMap.insert(make_pair(funcId, func));
++            jsval v = _convertor->toval(funcId);
++            _convertor->setProperty(_global, (name + "_").c_str(), v);
+ 
+             stringstream code;
+             if (data) {
+-                _convertor->setProperty( _global , (name + "_data_").c_str() , _convertor->toval( (double)(long long)data ) );
++                long long argsId = static_cast<long long>(_argumentMap.size());
++                _argumentMap.insert(make_pair(argsId, data));
++                v = _convertor->toval(argsId);
++                _convertor->setProperty(_global, (name + "_data_").c_str(), v);
+                 code << field << "_" << " = { x : " << field << "_ , y: " << field << "_data_ }; ";
+             } else {
+                 code << field << "_" << " = { x : " << field << "_ }; ";
+@@ -1631,6 +1605,10 @@ namespace mongo {
+ 
+         JSContext *SavedContext() const { return _context; }
+ 
++        // map from internal function id to function pointer
++        FunctionMap _functionMap;
++        // map from internal function argument id to function pointer
++        ArgumentMap _argumentMap;
+     private:
+ 
+         void _postCreateHacks() {
+@@ -1696,7 +1674,69 @@ namespace mongo {
+         return JS_TRUE;
+     }
+ 
++    JSBool native_helper( JSContext *cx , JSObject *obj , uintN argc, jsval *argv , jsval *rval ) {
++        try {
++            Convertor c(cx);
++
++            // get function pointer from JS caller's argument property 'x'
++            massert(16735, "nativeHelper argument requires object with 'x' property",
++                    c.hasProperty(obj, "x"));
++            FunctionMap::iterator funcIter =
++                    currentScope->_functionMap.find(static_cast<long long>(c.getNumber(obj, "x")));
++            massert(16734, "JavaScript function not in map",
++                    funcIter != currentScope->_functionMap.end());
++            NativeFunction func = funcIter->second;
++            assert(func);
++
++            // get data pointer from JS caller's argument property 'y'
++            void* data = NULL;
++            if (c.hasProperty(obj, "y")) {
++                ArgumentMap::iterator argIter = currentScope->_argumentMap.find(
++                                static_cast<long long>(c.getNumber(obj, "y")));
++                massert(16736, "nativeHelper 'y' parameter must be in the argumentMap",
++                        argIter != currentScope->_argumentMap.end());
++                data = argIter->second;
++            }
++
++            BSONObj a;
++            if ( argc > 0 ) {
++                BSONObjBuilder args;
++                for ( uintN i = 0; i < argc; ++i ) {
++                    c.append( args , args.numStr( i ) , argv[i] );
++                }
++                a = args.obj();
++            }
++
++            BSONObj out;
++            try {
++                out = func( a, data );
++            }
++            catch ( std::exception& e ) {
++                if ( ! JS_IsExceptionPending( cx ) ) {
++                    JS_ReportError( cx, e.what() );
++                }
++                return JS_FALSE;
++            }
+ 
++            if ( out.isEmpty() ) {
++                *rval = JSVAL_VOID;
++            }
++            else {
++                *rval = c.toval( out.firstElement() );
++            }
++        }
++        catch ( const AssertionException& e ) {
++            if ( ! JS_IsExceptionPending( cx ) ) {
++                JS_ReportError( cx, e.what() );
++            }
++            return JS_FALSE;
++        }
++        catch ( const std::exception& e ) {
++            log() << "unhandled exception: " << e.what() << ", throwing Fatal Assertion" << endl;
++            verifyFailed( 16281 );
++        }
++        return JS_TRUE;
++    }
+ 
+     void SMEngine::runTest() {
+         SMScope s;
+-- 
+1.7.10.4
+
diff -Nru mongodb-2.0.6/debian/patches/0005-CVE-2013-1892-part2.patch mongodb-2.0.6/debian/patches/0005-CVE-2013-1892-part2.patch
--- mongodb-2.0.6/debian/patches/0005-CVE-2013-1892-part2.patch	1970-01-01 01:00:00.000000000 +0100
+++ mongodb-2.0.6/debian/patches/0005-CVE-2013-1892-part2.patch	2013-03-27 12:59:25.000000000 +0100
@@ -0,0 +1,34 @@
+From bb999bb5032346e4391d80225b1532bc43df9446 Mon Sep 17 00:00:00 2001
+From: Ben Becker <ben.becker@10gen.com>
+Date: Tue, 26 Mar 2013 18:33:20 -0700
+Subject: [PATCH] SERVER-9124: cast id to double before converting to JS
+
+---
+ scripting/engine_spidermonkey.cpp |    6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/scripting/engine_spidermonkey.cpp b/scripting/engine_spidermonkey.cpp
+index e857b90..e409e6f 100644
+--- a/scripting/engine_spidermonkey.cpp
++++ b/scripting/engine_spidermonkey.cpp
+@@ -1581,14 +1581,14 @@ namespace mongo {
+             string name = field;
+             long long funcId = static_cast<long long>(_functionMap.size());
+             _functionMap.insert(make_pair(funcId, func));
+-            jsval v = _convertor->toval(funcId);
++            jsval v = _convertor->toval((static_cast<double>(funcId)));
+             _convertor->setProperty(_global, (name + "_").c_str(), v);
+-
+             stringstream code;
++
+             if (data) {
+                 long long argsId = static_cast<long long>(_argumentMap.size());
+                 _argumentMap.insert(make_pair(argsId, data));
+-                v = _convertor->toval(argsId);
++                v = _convertor->toval(static_cast<double>(argsId));
+                 _convertor->setProperty(_global, (name + "_data_").c_str(), v);
+                 code << field << "_" << " = { x : " << field << "_ , y: " << field << "_data_ }; ";
+             } else {
+-- 
+1.7.10.4
+
diff -Nru mongodb-2.0.6/debian/patches/series mongodb-2.0.6/debian/patches/series
--- mongodb-2.0.6/debian/patches/series	2012-06-05 19:53:16.000000000 +0200
+++ mongodb-2.0.6/debian/patches/series	2013-03-27 13:05:12.000000000 +0100
@@ -1,3 +1,5 @@
 0001-install-libs-to-usr-lib-not-usr-lib64-Closes-588557.patch
 0002-Ignore-unused-but-set-variables-and-params-Closes-62.patch
 0003-use-system-wide-pcre.patch
+0004-CVE-2013-1892-part1.patch
+0005-CVE-2013-1892-part2.patch

--- End Message ---
--- Begin Message --- 
On Wed, 2013-03-27 at 15:14 +0100, John Paul Adrian Glaubitz wrote:
> On 03/27/2013 02:30 PM, Adam D. Barratt wrote:
> > As far as I can tell, the package in unstable is still vulnerable. Is
> > there a plan for getting that fixed?
> 
> The version in unstable is 2.4.1 which is not affected according to the 
> upstream bug tracker [1].
[...]
>  > [1] https://jira.mongodb.org/browse/SERVER-9124

Yeah, I looked there before asking. It's annoyingly confusing - there's
a 2.4 minor version in the fixed list, but not the affected list.

Anyway, unblocked; thanks for the fix.

Regards,

Adam

--- End Message ---
Reply to: