Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: pymongo@packages.debian.org
Control: affects -1 + src:pymongo
User: release.debian.org@packages.debian.org
Usertags: pu
[ Reason ]
CVE-2024-5629
[ Impact ]
An out-of-bounds read in the 'bson' module allows deserialization
of malformed BSON provided by a Server to raise an exception which may contain
arbitrary application memory
[ Tests ]
Test suite of package
[ Risks ]
code is near trivial
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
* QA upload
* Fix CVE-2024-5629: An out-of-bounds read in the
'bson' module allowed deserialization of malformed BSON
* Use correct salsa CI
+ provided by a Server to raise an exception which may
+ contain arbitrary application memory
[ Other info ]
QA upload package is orphaned
diff -Nru pymongo-3.11.0/debian/changelog pymongo-3.11.0/debian/changelog
--- pymongo-3.11.0/debian/changelog 2020-10-17 21:23:41.000000000 +0000
+++ pymongo-3.11.0/debian/changelog 2024-06-16 17:42:49.000000000 +0000
@@ -1,3 +1,13 @@
+pymongo (3.11.0-1+deb12u1) bookworm; urgency=medium
+
+ * QA upload
+ * Fix CVE-2024-5629: An out-of-bounds read in the
+ 'bson' module allowed deserialization of malformed BSON
+ provided by a Server to raise an exception which may
+ contain arbitrary application memory
+
+ -- Bastien Roucariès <rouca@debian.org> Sun, 16 Jun 2024 17:42:49 +0000
+
pymongo (3.11.0-1) unstable; urgency=medium
[ Federico Ceratto ]
diff -Nru pymongo-3.11.0/debian/control pymongo-3.11.0/debian/control
--- pymongo-3.11.0/debian/control 2020-10-17 21:23:41.000000000 +0000
+++ pymongo-3.11.0/debian/control 2024-06-16 17:42:49.000000000 +0000
@@ -1,7 +1,7 @@
Source: pymongo
Section: python
Priority: optional
-Maintainer: Federico Ceratto <federico@debian.org>
+Maintainer: Debian QA Group <packages@qa.debian.org>
Build-Depends: debhelper-compat (= 13),
dh-python,
python3-all-dev,
diff -Nru pymongo-3.11.0/debian/gitlab-ci.yml pymongo-3.11.0/debian/gitlab-ci.yml
--- pymongo-3.11.0/debian/gitlab-ci.yml 2020-10-17 21:23:41.000000000 +0000
+++ pymongo-3.11.0/debian/gitlab-ci.yml 2024-06-16 17:42:49.000000000 +0000
@@ -1,9 +1,7 @@
-image: registry.salsa.debian.org/salsa-ci-team/ci-image-git-buildpackage:latest
+---
+include:
+ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
+ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
-build:
- artifacts:
- paths:
- - "*.deb"
- expire_in: 1 day
- script:
- - gitlab-ci-git-buildpackage-all
+variables:
+ RELEASE: 'bookworm'
diff -Nru pymongo-3.11.0/debian/patches/0002-CVE-2024-5629-PYTHON-4305-Fix-bson-size-check.patch pymongo-3.11.0/debian/patches/0002-CVE-2024-5629-PYTHON-4305-Fix-bson-size-check.patch
--- pymongo-3.11.0/debian/patches/0002-CVE-2024-5629-PYTHON-4305-Fix-bson-size-check.patch 1970-01-01 00:00:00.000000000 +0000
+++ pymongo-3.11.0/debian/patches/0002-CVE-2024-5629-PYTHON-4305-Fix-bson-size-check.patch 2024-06-16 17:42:49.000000000 +0000
@@ -0,0 +1,51 @@
+From: Shane Harvey <shnhrv@gmail.com>
+Date: Wed, 27 Mar 2024 13:16:55 -0700
+Subject: CVE-2024-5629 PYTHON-4305 Fix bson size check
+
+An out-of-bounds read in the 'bson' module allows deserialization
+of malformed BSON provided by a Server to raise an exception which may contain arbitrary application memory.
+
+bug: https://jira.mongodb.org/browse/PYTHON-4305
+bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2024-5629
+origin: https://patch-diff.githubusercontent.com/raw/mongodb/mongo-python-driver/pull/1564.patch
+---
+ bson/_cbsonmodule.c | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+diff --git a/bson/_cbsonmodule.c b/bson/_cbsonmodule.c
+index f457f96..02d9105 100644
+--- a/bson/_cbsonmodule.c
++++ b/bson/_cbsonmodule.c
+@@ -2334,6 +2334,7 @@ static PyObject* get_value(PyObject* self, PyObject* name, const char* buffer,
+ uint32_t c_w_s_size;
+ uint32_t code_size;
+ uint32_t scope_size;
++ uint32_t len;
+ PyObject* code;
+ PyObject* scope;
+ PyObject* code_type;
+@@ -2353,7 +2354,8 @@ static PyObject* get_value(PyObject* self, PyObject* name, const char* buffer,
+ memcpy(&code_size, buffer + *position, 4);
+ code_size = BSON_UINT32_FROM_LE(code_size);
+ /* code_w_scope length + code length + code + scope length */
+- if (!code_size || max < code_size || max < 4 + 4 + code_size + 4) {
++ len = 4 + 4 + code_size + 4;
++ if (!code_size || max < code_size || max < len || len < code_size) {
+ goto invalid;
+ }
+ *position += 4;
+@@ -2371,12 +2373,9 @@ static PyObject* get_value(PyObject* self, PyObject* name, const char* buffer,
+
+ memcpy(&scope_size, buffer + *position, 4);
+ scope_size = BSON_UINT32_FROM_LE(scope_size);
+- if (scope_size < BSON_MIN_SIZE) {
+- Py_DECREF(code);
+- goto invalid;
+- }
+ /* code length + code + scope length + scope */
+- if ((4 + code_size + 4 + scope_size) != c_w_s_size) {
++ len = 4 + 4 + code_size + scope_size;
++ if (scope_size < BSON_MIN_SIZE || len != c_w_s_size || len < scope_size) {
+ Py_DECREF(code);
+ goto invalid;
+ }
diff -Nru pymongo-3.11.0/debian/patches/series pymongo-3.11.0/debian/patches/series
--- pymongo-3.11.0/debian/patches/series 2020-10-17 21:23:41.000000000 +0000
+++ pymongo-3.11.0/debian/patches/series 2024-06-16 17:42:49.000000000 +0000
@@ -1 +1,2 @@
fcb6a8ecbc98fceca138d74fb09b516b172bb4e0.patch
+0002-CVE-2024-5629-PYTHON-4305-Fix-bson-size-check.patch
Attachment:
signature.asc
Description: This is a digitally signed message part.