Bug#850931: jessie-pu: package mongodb/1:2.4.10-5

[Apollon Oikonomopoulos <apoikos@debian.org>]

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

Dear SRMs,

I would like to update MongoDB in stable to fix two low-impact security 
issues:

 - CVE-2016-6494[1] is fixed by backporting the patch already applied to 
   2.6 (once in sid).

 - TEMP-0833087-C5410D[2] is fixed by reimplementing upstream's fix for 
   2.6[3] using the infrastructure available in MongoDB 2.4.  
   Unfortunately the mutable BSON infrastructure used in 2.6 is 
   incomplete and unusable in 2.4. I benchmarked my own version and 
   found no measurable performance impact.

Full source debdiff attached.

Regards,
Apollon

[1] https://security-tracker.debian.org/tracker/CVE-2016-6494
[2] https://security-tracker.debian.org/tracker/TEMP-0833087-C5410D
[3] https://github.com/mongodb/mongo/commit/f85ceb17b37210eef71e8113162c41368bfd5c12

diff -Nru mongodb-2.4.10/debian/changelog mongodb-2.4.10/debian/changelog
--- mongodb-2.4.10/debian/changelog	2015-03-09 23:25:16.000000000 +0200
+++ mongodb-2.4.10/debian/changelog	2017-01-11 11:17:56.000000000 +0200
@@ -1,3 +1,10 @@
+mongodb (1:2.4.10-5+deb8u1) jessie; urgency=medium
+
+  * Redact key and nonce from auth attempt logs (Closes: #833087)
+  * Backport patch for CVE-2016-6494 from 2.6 (Closes: #832908)
+
+ -- Apollon Oikonomopoulos <apoikos@debian.org>  Wed, 11 Jan 2017 11:17:56 +0200
+
 mongodb (1:2.4.10-5) unstable; urgency=high
 
   * Use upstream backported fix for CVE-2015-1609 (closes: #780129).
diff -Nru mongodb-2.4.10/debian/patches/CVE-2016-6494.patch mongodb-2.4.10/debian/patches/CVE-2016-6494.patch
--- mongodb-2.4.10/debian/patches/CVE-2016-6494.patch	1970-01-01 02:00:00.000000000 +0200
+++ mongodb-2.4.10/debian/patches/CVE-2016-6494.patch	2017-01-11 11:17:09.000000000 +0200
@@ -0,0 +1,39 @@
+Description: prevent group and other access on .dbshell
+ Use umask on file creation and chmod on existing file load.
+Forwarded: no
+Bug-Debian: https://bugs.debian.org/832908
+Author: Laszlo Boszormenyi (GCS) <gcs@debian.org>
+Last-Update: 2016-08-04
+
+---
+
+--- mongodb-2.4.10.orig/src/mongo/shell/linenoise.cpp
++++ mongodb-2.4.10/src/mongo/shell/linenoise.cpp
+@@ -103,6 +103,7 @@
+ #include <stdlib.h>
+ #include <string.h>
+ #include <sys/types.h>
++#include <sys/stat.h>
+ #include <sys/ioctl.h>
+ #include <cctype>
+ #include <wctype.h>
+@@ -2626,7 +2627,10 @@ int linenoiseHistorySetMaxLen( int len )
+ /* Save the history in the specified file. On success 0 is returned
+  * otherwise -1 is returned. */
+ int linenoiseHistorySave( const char* filename ) {
++    mode_t old_umask;
++    old_umask = umask(S_IRWXG | S_IRWXO);
+     FILE* fp = fopen( filename, "wt" );
++    umask(old_umask);
+     if ( fp == NULL ) {
+         return -1;
+     }
+@@ -2651,6 +2655,8 @@ int linenoiseHistoryLoad( const char* fi
+         return -1;
+     }
+ 
++    chmod(filename, 00600);
++
+     char buf[LINENOISE_MAX_LINE];
+     while ( fgets( buf, LINENOISE_MAX_LINE, fp ) != NULL ) {
+         char* p = strchr( buf, '\r' );
diff -Nru mongodb-2.4.10/debian/patches/Redact-key-and-nonce-from-auth-attempt-logs.patch mongodb-2.4.10/debian/patches/Redact-key-and-nonce-from-auth-attempt-logs.patch
--- mongodb-2.4.10/debian/patches/Redact-key-and-nonce-from-auth-attempt-logs.patch	1970-01-01 02:00:00.000000000 +0200
+++ mongodb-2.4.10/debian/patches/Redact-key-and-nonce-from-auth-attempt-logs.patch	2017-01-11 11:17:09.000000000 +0200
@@ -0,0 +1,42 @@
+From 1d44ca172befd6ad6d3a6cb410ddf7a0e31b6f81 Mon Sep 17 00:00:00 2001
+From: Apollon Oikonomopoulos <apoikos@debian.org>
+Date: Tue, 10 Jan 2017 17:39:57 +0200
+Subject: [PATCH] Redact key and nonce from auth attempt logs
+
+This fixes TEMP-0833087-C5410D and closes #833087.
+---
+ src/mongo/db/commands/authentication_commands.cpp | 17 ++++++++++++++++-
+ 1 file changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/src/mongo/db/commands/authentication_commands.cpp b/src/mongo/db/commands/authentication_commands.cpp
+index bcc5a2f..538e9a0 100644
+--- a/src/mongo/db/commands/authentication_commands.cpp
++++ b/src/mongo/db/commands/authentication_commands.cpp
+@@ -93,8 +93,23 @@ namespace mongo {
+     } cmdGetNonce;
+ 
+     bool CmdAuthenticate::run(const string& dbname , BSONObj& cmdObj, int, string& errmsg, BSONObjBuilder& result, bool fromRepl) {
++        // Debian #833087: redact key and nonce from authentication attempts
++        BSONObjBuilder cmdToLog;
++        BSONObjIterator it = cmdObj.begin();
++        const StringData kKey = "key";
++        const StringData kNonce = "nonce";
++
++        while (it.more()) {
++            BSONElement e = it.next();
++            const char *fname = e.fieldName();
++            if (fname == kKey || fname == kNonce) {
++                cmdToLog.append(fname, "xxx");
++            } else {
++                cmdToLog.append(e);
++            }
++        }
+ 
+-        log() << " authenticate db: " << dbname << " " << cmdObj << endl;
++        log() << " authenticate db: " << dbname << " " << cmdToLog.obj() << endl;
+ 
+         string user = cmdObj.getStringField("user");
+ 
+-- 
+2.10.2
+
diff -Nru mongodb-2.4.10/debian/patches/series mongodb-2.4.10/debian/patches/series
--- mongodb-2.4.10/debian/patches/series	2015-03-09 23:21:17.000000000 +0200
+++ mongodb-2.4.10/debian/patches/series	2017-01-11 11:17:09.000000000 +0200
@@ -18,3 +18,5 @@
 8b9242837510e6410ddcf4f19969da4c7b01b2f7.patch
 656f78711632a5dc37221422c99e3c4619bcc58f.patch
 3a7e85ea1f672f702660e5472566234b1d19038e.patch
+Redact-key-and-nonce-from-auth-attempt-logs.patch
+CVE-2016-6494.patch

Attachment: signature.asc
Description: PGP signature