Bug#1073524: marked as done (bookworm-pu: package pymongo/3.11.0-1+deb12u1)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sat, 29 Jun 2024 10:46:21 +0000
with message-id <E1sNVb3-002bjt-Ds@coccia.debian.org>
and subject line Released with 12.6
has caused the Debian Bug report #1073524,
regarding bookworm-pu: package pymongo/3.11.0-1+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1073524: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1073524
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: bookworm-pu: package pymongo/3.11.0-1+deb12u1
• From: Bastien Roucariès <rouca@debian.org>
• Date: Sun, 16 Jun 2024 20:25:01 +0000
• Message-id: <[🔎] 4038963.7po5IEuXJF@portable-bastien>

Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: pymongo@packages.debian.org
Control: affects -1 + src:pymongo
User: release.debian.org@packages.debian.org
Usertags: pu


[ Reason ]
CVE-2024-5629

[ Impact ]
An out-of-bounds read in the 'bson' module allows deserialization
of malformed BSON provided by a Server to raise an exception which may contain
arbitrary application memory

[ Tests ]
Test suite of package

[ Risks ]
code is near trivial

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
 * QA upload
 * Fix CVE-2024-5629: An out-of-bounds read in the
    'bson' module allowed deserialization of malformed BSON
 * Use correct salsa CI
+    provided by a Server to raise an exception which may
+    contain arbitrary application memory


[ Other info ]
QA upload package is orphaned

diff -Nru pymongo-3.11.0/debian/changelog pymongo-3.11.0/debian/changelog
--- pymongo-3.11.0/debian/changelog	2020-10-17 21:23:41.000000000 +0000
+++ pymongo-3.11.0/debian/changelog	2024-06-16 17:42:49.000000000 +0000
@@ -1,3 +1,13 @@
+pymongo (3.11.0-1+deb12u1) bookworm; urgency=medium
+
+  * QA upload
+  * Fix CVE-2024-5629: An out-of-bounds read in the
+    'bson' module allowed deserialization of malformed BSON
+    provided by a Server to raise an exception which may
+    contain arbitrary application memory
+
+ -- Bastien Roucariès <rouca@debian.org>  Sun, 16 Jun 2024 17:42:49 +0000
+
 pymongo (3.11.0-1) unstable; urgency=medium
 
   [ Federico Ceratto ]
diff -Nru pymongo-3.11.0/debian/control pymongo-3.11.0/debian/control
--- pymongo-3.11.0/debian/control	2020-10-17 21:23:41.000000000 +0000
+++ pymongo-3.11.0/debian/control	2024-06-16 17:42:49.000000000 +0000
@@ -1,7 +1,7 @@
 Source: pymongo
 Section: python
 Priority: optional
-Maintainer: Federico Ceratto <federico@debian.org>
+Maintainer: Debian QA Group <packages@qa.debian.org> 
 Build-Depends: debhelper-compat (= 13),
  dh-python,
  python3-all-dev,
diff -Nru pymongo-3.11.0/debian/gitlab-ci.yml pymongo-3.11.0/debian/gitlab-ci.yml
--- pymongo-3.11.0/debian/gitlab-ci.yml	2020-10-17 21:23:41.000000000 +0000
+++ pymongo-3.11.0/debian/gitlab-ci.yml	2024-06-16 17:42:49.000000000 +0000
@@ -1,9 +1,7 @@
-image: registry.salsa.debian.org/salsa-ci-team/ci-image-git-buildpackage:latest
+---
+include:
+  - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
+  - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
 
-build:
-  artifacts:
-    paths:
-    - "*.deb"
-    expire_in: 1 day
-  script:
-    - gitlab-ci-git-buildpackage-all
+variables:
+  RELEASE: 'bookworm'
diff -Nru pymongo-3.11.0/debian/patches/0002-CVE-2024-5629-PYTHON-4305-Fix-bson-size-check.patch pymongo-3.11.0/debian/patches/0002-CVE-2024-5629-PYTHON-4305-Fix-bson-size-check.patch
--- pymongo-3.11.0/debian/patches/0002-CVE-2024-5629-PYTHON-4305-Fix-bson-size-check.patch	1970-01-01 00:00:00.000000000 +0000
+++ pymongo-3.11.0/debian/patches/0002-CVE-2024-5629-PYTHON-4305-Fix-bson-size-check.patch	2024-06-16 17:42:49.000000000 +0000
@@ -0,0 +1,51 @@
+From: Shane Harvey <shnhrv@gmail.com>
+Date: Wed, 27 Mar 2024 13:16:55 -0700
+Subject: CVE-2024-5629 PYTHON-4305 Fix bson size check
+
+An out-of-bounds read in the 'bson' module allows deserialization
+of malformed BSON provided by a Server to raise an exception which may contain arbitrary application memory.
+
+bug: https://jira.mongodb.org/browse/PYTHON-4305
+bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2024-5629
+origin: https://patch-diff.githubusercontent.com/raw/mongodb/mongo-python-driver/pull/1564.patch
+---
+ bson/_cbsonmodule.c | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+diff --git a/bson/_cbsonmodule.c b/bson/_cbsonmodule.c
+index f457f96..02d9105 100644
+--- a/bson/_cbsonmodule.c
++++ b/bson/_cbsonmodule.c
+@@ -2334,6 +2334,7 @@ static PyObject* get_value(PyObject* self, PyObject* name, const char* buffer,
+             uint32_t c_w_s_size;
+             uint32_t code_size;
+             uint32_t scope_size;
++            uint32_t len;
+             PyObject* code;
+             PyObject* scope;
+             PyObject* code_type;
+@@ -2353,7 +2354,8 @@ static PyObject* get_value(PyObject* self, PyObject* name, const char* buffer,
+             memcpy(&code_size, buffer + *position, 4);
+             code_size = BSON_UINT32_FROM_LE(code_size);
+             /* code_w_scope length + code length + code + scope length */
+-            if (!code_size || max < code_size || max < 4 + 4 + code_size + 4) {
++            len = 4 + 4 + code_size + 4;
++            if (!code_size || max < code_size || max < len || len < code_size) {
+                 goto invalid;
+             }
+             *position += 4;
+@@ -2371,12 +2373,9 @@ static PyObject* get_value(PyObject* self, PyObject* name, const char* buffer,
+ 
+             memcpy(&scope_size, buffer + *position, 4);
+             scope_size = BSON_UINT32_FROM_LE(scope_size);
+-            if (scope_size < BSON_MIN_SIZE) {
+-                Py_DECREF(code);
+-                goto invalid;
+-            }
+             /* code length + code + scope length + scope */
+-            if ((4 + code_size + 4 + scope_size) != c_w_s_size) {
++            len = 4 + 4 + code_size + scope_size;
++            if (scope_size < BSON_MIN_SIZE || len != c_w_s_size || len < scope_size) {
+                 Py_DECREF(code);
+                 goto invalid;
+             }
diff -Nru pymongo-3.11.0/debian/patches/series pymongo-3.11.0/debian/patches/series
--- pymongo-3.11.0/debian/patches/series	2020-10-17 21:23:41.000000000 +0000
+++ pymongo-3.11.0/debian/patches/series	2024-06-16 17:42:49.000000000 +0000
@@ -1 +1,2 @@
 fcb6a8ecbc98fceca138d74fb09b516b172bb4e0.patch
+0002-CVE-2024-5629-PYTHON-4305-Fix-bson-size-check.patch

Attachment: signature.asc
Description: This is a digitally signed message part.

--- End Message ---

--- Begin Message ---

• To: 1073524-done@bugs.debian.org
• Subject: Released with 12.6
• From: Jonathan Wiltshire <jmw@coccia.debian.org>
• Date: Sat, 29 Jun 2024 10:46:21 +0000
• Message-id: <E1sNVb3-002bjt-Ds@coccia.debian.org>

Version: 12.6

The upload requested in this bug has been released as part of 12.6.

--- End Message ---