--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: bookworm-pu: package mongo-c-driver/1.23.1-1+deb12u1
- From: "Roberto C. Sanchez" <roberto@connexer.com>
- Date: Fri, 18 Apr 2025 20:18:18 -0400
- Message-id: <174502189830.330258.4366638255990886991.reportbug@miami.connexer.com>
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org@packages.debian.org
Usertags: pu
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
[ Reason ]
Fix an assortment of <no-dsa> CVEs.
[ Impact ]
Without this update some memory corruption and application crash
vulnerabilities will remain unresolved.
[ Tests ]
The patches are striaght cherry-picks of the relevant upstream commits,
which have passed through extensive CI upstream and they have been
available to users for between 6 and 18 months (both via upstream
releases which include the fixes and the correspondending packages in
Debian unstable/testing).
[ Risks ]
The risks are low. The 4 patches themselves in aggregate have the
following extent:
4 files changed, 38 insertions(+), 12 deletions(-)
The individual changes underwent substantial upstream scrutiny,
including code reviews by multiple developers, manual testing during
development, and the aforementioned extensive CI.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
(Explain *all* the changes)
CVE-2023-0437: change type of loop indices to guard against overflow
(cherry-picked with no changes required)
CVE-2024-6381: iterate over a NULL-terminated string using a pointer
(checking for the NULL to know when to stop) rather than an integer
index (cherry-picked with no changes required)
CVE-2024-6383: keep track of allocated string size during allocation and
append operations to guard against buffer overflow and memory corruption
(backported with the only change being to related to handling changed
whitespace)
CVE-2025-0755: keep track of allocated string size during append
operations to guard against buffer overflow and memory corruption
(cherry-picked with no changes required)
[ Other info ]
I was the primary developer of 2 of the 4 patches, and I am very
confident in the team's processes around the other two patches. These
changes pose a minimal regression risk, if any at all.
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEIYZ1DR4ae5UL01q7ldFmTdL1kUIFAmgC68gACgkQldFmTdL1
kUKx/g//TH+AFzBn/IjkBqMw7O3Kjv6H+b2i6/hd3M7x1H0OQB7pitqfHZUgnrlo
CPZXldG7Is9SgC6ZBPUP88l+yrQ+yqzVUZRtgVS9xukLVefRoeM1/L/SbOnWMwtd
p5Sllk9EhN9qBNrmwBkDRJJRVmz8GdUpDcH6gOvzKAUTlPsQctQ734usk17SgUAo
6OJoHfhj6JKjgjSPHYOz2L7nK1CXEYmB96i4whKck1gTZYdhMSm5dL2yW+kURHal
pHSX6ZptX65hoVAQvz7oVXvTaeb7zUsI70wZphb2fq30m7v62rdkcf712Cddv1vV
UgbQSZzzJKsrLwuarQ22zWAMKOk0xK3Du2eerEhS4ZSEUj+WCUiiVPUHYnY6Vx4V
O3ImesZybqGT/B5oiWlYKdyOXG+bXfhXXyq0/WPStGrTufJpsj9Fmhxo404kQ6j5
4iHEq9EpHj6KxbhpVd9gM35oMBaD+ik3sl/EMAFtHZv9bf+k9LFwd1L8VA5EtE/T
LGFpLanvkyRhSq3fl/NSy6KQQdOVV4+hP729MVpVyEajVbYmQF/kCa8RawmUSTiM
fC5TRMxrUYCR/DoPbzI+vxKHoXcDyUtrRQozMgv2EAEuapyDCnoz3ikYzYEH2ULr
aMIs891fqubJIiFkV+2eSO6Yf02kiPoZ2PqesBRgsM6FJ8EocAY=
=1FUV
-----END PGP SIGNATURE-----
diff -Nru mongo-c-driver-1.23.1/debian/changelog mongo-c-driver-1.23.1/debian/changelog
--- mongo-c-driver-1.23.1/debian/changelog 2022-10-20 12:58:40.000000000 -0400
+++ mongo-c-driver-1.23.1/debian/changelog 2025-04-18 16:28:00.000000000 -0400
@@ -1,3 +1,24 @@
+mongo-c-driver (1.23.1-1+deb12u1) bookworm; urgency=medium
+
+ * Fix CVE-2023-0437: When calling bson_utf8_validate on some inputs a loop
+ with an exit condition that cannot be reached may occur, i.e. an infinite
+ loop.
+ * Fix CVE-2024-6381: The bson_strfreev function in the MongoDB C driver
+ library may be susceptible to an integer overflow where the function will
+ try to free memory at a negative offset. This may result in memory
+ corruption.
+ * Fix CVE-2024-6383: The bson_string_append function in MongoDB C Driver may
+ be vulnerable to a buffer overflow where the function might attempt to
+ allocate too small of buffer and may lead to memory corruption of
+ neighbouring heap memory.
+ * Fix CVE-2025-0755: The various bson_append functions in the MongoDB C
+ driver library may be susceptible to buffer overflow when performing
+ operations that could result in a final BSON document which exceeds the
+ maximum allowable size (INT32_MAX), resulting in a segmentation fault and
+ possible application crash.
+
+ -- Roberto C. Sanchez <roberto@connexer.com> Fri, 18 Apr 2025 16:28:00 -0400
+
mongo-c-driver (1.23.1-1) unstable; urgency=medium
* New upstream release
diff -Nru mongo-c-driver-1.23.1/debian/gbp.conf mongo-c-driver-1.23.1/debian/gbp.conf
--- mongo-c-driver-1.23.1/debian/gbp.conf 2022-10-20 12:58:40.000000000 -0400
+++ mongo-c-driver-1.23.1/debian/gbp.conf 2025-04-18 16:28:00.000000000 -0400
@@ -1,7 +1,6 @@
[DEFAULT]
pristine-tar = False
no-create-orig = True
-pbuilder = True
prebuild = bash -c "
# Show execution trace
@@ -13,11 +12,11 @@
zlib_rm_files=\"$(find src/zlib-* -mindepth 1 -maxdepth 1 \! -name zconf.h.in -printf '%p ')\" &&
# Create upstream tarball from reference, exclude items that do not belong
pushd $GBP_GIT_DIR/.. &&
- git archive --format=tar --prefix=mongo-c-driver-\${upstream_version}/ HEAD | tar -f - --delete mongo-c-driver-\${upstream_version}/debian \$zlib_filter_files | gzip > $GBP_BUILD_DIR/../mongo-c-driver_\${upstream_version}.orig.tar.gz &&
+ ( [ -f $GBP_BUILD_DIR/../mongo-c-driver_\${upstream_version}.orig.tar.gz ] || git archive --format=tar --prefix=mongo-c-driver-\${upstream_version}/ HEAD | tar -f - --delete mongo-c-driver-\${upstream_version}/debian \$zlib_filter_files | gzip > $GBP_BUILD_DIR/../mongo-c-driver_\${upstream_version}.orig.tar.gz ) &&
popd &&
rm -rf \$zlib_rm_files"
upstream-tree = BRANCH
-upstream-branch = r1.23
+upstream-branch = debian/bookworm
upstream-tag = %(version)s
-debian-branch = r1.23
+debian-branch = debian/bookworm
diff -Nru mongo-c-driver-1.23.1/debian/patches/CVE-2023-0437.patch mongo-c-driver-1.23.1/debian/patches/CVE-2023-0437.patch
--- mongo-c-driver-1.23.1/debian/patches/CVE-2023-0437.patch 1969-12-31 19:00:00.000000000 -0500
+++ mongo-c-driver-1.23.1/debian/patches/CVE-2023-0437.patch 2025-04-18 16:28:00.000000000 -0400
@@ -0,0 +1,29 @@
+From fd3a978b35cac8f3c78c4d9a1b08fd5aa4d440b8 Mon Sep 17 00:00:00 2001
+From: Kevin Albertson <kevin.albertson@mongodb.com>
+Date: Mon, 30 Oct 2023 18:01:30 +0000
+Subject: [PATCH] CDRIVER-4747 use `size_t` consistently in
+ `bson_utf8_validate` (#1458)
+
+Origin: https://github.com/mongodb/mongo-c-driver/commit/fd3a978b35cac8f3c78c4d9a1b08fd5aa4d440b8
+---
+ src/libbson/src/bson/bson-utf8.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/libbson/src/bson/bson-utf8.c b/src/libbson/src/bson/bson-utf8.c
+index d7e9168c96..ac7a1bddfe 100644
+--- a/src/libbson/src/bson/bson-utf8.c
++++ b/src/libbson/src/bson/bson-utf8.c
+@@ -118,8 +118,8 @@ bson_utf8_validate (const char *utf8, /* IN */
+ bson_unichar_t c;
+ uint8_t first_mask;
+ uint8_t seq_length;
+- unsigned i;
+- unsigned j;
++ size_t i;
++ size_t j;
+
+ BSON_ASSERT (utf8);
+
+--
+2.39.5
+
diff -Nru mongo-c-driver-1.23.1/debian/patches/CVE-2024-6381.patch mongo-c-driver-1.23.1/debian/patches/CVE-2024-6381.patch
--- mongo-c-driver-1.23.1/debian/patches/CVE-2024-6381.patch 1969-12-31 19:00:00.000000000 -0500
+++ mongo-c-driver-1.23.1/debian/patches/CVE-2024-6381.patch 2025-04-18 16:28:00.000000000 -0400
@@ -0,0 +1,34 @@
+From effd95c34ad421df94eec7c69236f0e4172552d0 Mon Sep 17 00:00:00 2001
+From: Ezra Chung <88335979+eramongodb@users.noreply.github.com>
+Date: Fri, 8 Mar 2024 13:09:07 -0600
+Subject: [PATCH] CDRIVER-5504 Use pointer-based iteration when traversing
+ array elements (#1552)
+
+Origin: https://github.com/mongodb/mongo-c-driver/commit/effd95c34ad421df94eec7c69236f0e4172552d0
+---
+ src/libbson/src/bson/bson-string.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/src/libbson/src/bson/bson-string.c b/src/libbson/src/bson/bson-string.c
+index 36c4c5ab49..958fd10666 100644
+--- a/src/libbson/src/bson/bson-string.c
++++ b/src/libbson/src/bson/bson-string.c
+@@ -473,11 +473,11 @@ bson_strndup (const char *str, /* IN */
+ void
+ bson_strfreev (char **str) /* IN */
+ {
+- int i;
+-
+ if (str) {
+- for (i = 0; str[i]; i++)
+- bson_free (str[i]);
++ for (char **ptr = str; *ptr != NULL; ++ptr) {
++ bson_free (*ptr);
++ }
++
+ bson_free (str);
+ }
+ }
+--
+2.39.5
+
diff -Nru mongo-c-driver-1.23.1/debian/patches/CVE-2024-6383.patch mongo-c-driver-1.23.1/debian/patches/CVE-2024-6383.patch
--- mongo-c-driver-1.23.1/debian/patches/CVE-2024-6383.patch 1969-12-31 19:00:00.000000000 -0500
+++ mongo-c-driver-1.23.1/debian/patches/CVE-2024-6383.patch 2025-04-18 16:28:00.000000000 -0400
@@ -0,0 +1,77 @@
+From 7c34461863211be172e6317221d72e4429bed45e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Roberto=20C=2E=20S=C3=A1nchez?= <roberto@connexer.com>
+Date: Fri, 3 May 2024 15:30:45 -0400
+Subject: [PATCH] CDRIVER-5552 more robust string handling (#1593)
+
+Co-authored-by: Kevin Albertson <kevin.albertson@10gen.com>
+
+Origin: https://github.com/mongodb/mongo-c-driver/commit/7c34461863211be172e6317221d72e4429bed45e
+---
+ src/libbson/src/bson/bson-string.c | 27 +++++++++++++++++++++------
+ 1 file changed, 21 insertions(+), 6 deletions(-)
+
+--- a/src/libbson/src/bson/bson-string.c
++++ b/src/libbson/src/bson/bson-string.c
+@@ -20,6 +20,7 @@
+
+ #include "bson-compat.h"
+ #include "bson-config.h"
++#include "bson-cmp.h"
+ #include "bson-string.h"
+ #include "bson-memory.h"
+ #include "bson-utf8.h"
+@@ -61,16 +62,25 @@
+ bson_string_new (const char *str) /* IN */
+ {
+ bson_string_t *ret;
++ size_t len_sz;
+
+ ret = bson_malloc0 (sizeof *ret);
+- ret->len = str ? (int) strlen (str) : 0;
++ if (str) {
++ len_sz = strlen (str);
++ BSON_ASSERT (len_sz <= UINT32_MAX);
++ ret->len = (uint32_t) len_sz;
++ } else {
++ ret->len = 0;
++ }
+ ret->alloc = ret->len + 1;
+
+ if (!bson_is_power_of_two (ret->alloc)) {
+- ret->alloc = (uint32_t) bson_next_power_of_two ((size_t) ret->alloc);
++ len_sz = bson_next_power_of_two ((size_t) ret->alloc);
++ BSON_ASSERT (len_sz <= UINT32_MAX);
++ ret->alloc = (uint32_t) len_sz;
+ }
+
+- BSON_ASSERT (ret->alloc >= 1);
++ BSON_ASSERT (ret->alloc >= ret->len + 1);
+
+ ret->str = bson_malloc (ret->alloc);
+
+@@ -125,17 +135,22 @@
+ const char *str) /* IN */
+ {
+ uint32_t len;
++ size_t len_sz;
+
+ BSON_ASSERT (string);
+ BSON_ASSERT (str);
+
+- len = (uint32_t) strlen (str);
++ len_sz = strlen (str);
++ BSON_ASSERT (bson_in_range_unsigned (uint32_t, len_sz));
++ len = (uint32_t) len_sz;
+
+ if ((string->alloc - string->len - 1) < len) {
++ BSON_ASSERT (string->alloc <= UINT32_MAX - len);
+ string->alloc += len;
+ if (!bson_is_power_of_two (string->alloc)) {
+- string->alloc =
+- (uint32_t) bson_next_power_of_two ((size_t) string->alloc);
++ len_sz = bson_next_power_of_two ((size_t) string->alloc);
++ BSON_ASSERT (len_sz <= UINT32_MAX);
++ string->alloc = (uint32_t) len_sz;
+ }
+ string->str = bson_realloc (string->str, string->alloc);
+ }
diff -Nru mongo-c-driver-1.23.1/debian/patches/CVE-2025-0755.patch mongo-c-driver-1.23.1/debian/patches/CVE-2025-0755.patch
--- mongo-c-driver-1.23.1/debian/patches/CVE-2025-0755.patch 1969-12-31 19:00:00.000000000 -0500
+++ mongo-c-driver-1.23.1/debian/patches/CVE-2025-0755.patch 2025-04-18 16:28:00.000000000 -0400
@@ -0,0 +1,39 @@
+From d3cdb626be30748b9360451023c75438ec346a38 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Roberto=20C=2E=20S=C3=A1nchez?= <roberto@connexer.com>
+Date: Tue, 16 Jul 2024 16:15:16 -0400
+Subject: [PATCH] CDRIVER-5601 more robust bson append (#1648)
+
+Co-authored-by: Kevin Albertson <kevin.albertson@10gen.com>
+Co-authored-by: Ezra Chung <88335979+eramongodb@users.noreply.github.com>
+
+Origin: https://github.com/mongodb/mongo-c-driver/commit/d3cdb626be30748b9360451023c75438ec346a38
+---
+ src/libbson/src/bson/bson.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/src/libbson/src/bson/bson.c b/src/libbson/src/bson/bson.c
+index adc5ee2cc8..e29b2a771c 100644
+--- a/src/libbson/src/bson/bson.c
++++ b/src/libbson/src/bson/bson.c
+@@ -324,7 +324,18 @@ _bson_append_va (bson_t *bson, /* IN */
+
+ buf = _bson_data (bson) + bson->len - 1;
+
++ /* Track running sum of bytes written in a uint64_t to detect possible overflow of `n_bytes`. */
++ uint64_t n_bytes_sum = 0;
+ do {
++ // Size of any individual data being appended should not exceed the total byte limit.
++ if (BSON_UNLIKELY (bson_cmp_less_uu (n_bytes, data_len))) {
++ return false;
++ }
++ // Total size of data being appended should not exceed the total byte limit.
++ if (BSON_UNLIKELY (bson_cmp_greater_uu (n_bytes_sum, n_bytes - data_len))) {
++ return false;
++ }
++ n_bytes_sum += data_len;
+ n_pairs--;
+ /* data may be NULL if data_len is 0. memcpy is not safe to call with
+ * NULL. */
+--
+2.39.5
+
diff -Nru mongo-c-driver-1.23.1/debian/patches/series mongo-c-driver-1.23.1/debian/patches/series
--- mongo-c-driver-1.23.1/debian/patches/series 1969-12-31 19:00:00.000000000 -0500
+++ mongo-c-driver-1.23.1/debian/patches/series 2025-04-18 16:28:00.000000000 -0400
@@ -0,0 +1,4 @@
+CVE-2023-0437.patch
+CVE-2024-6381.patch
+CVE-2024-6383.patch
+CVE-2025-0755.patch
--- End Message ---