Bug#1123625: bookworm-pu: package mongo-c-driver/1.23.1-1+deb12u2

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1123625: bookworm-pu: package mongo-c-driver/1.23.1-1+deb12u2
From: "Roberto C. Sanchez" <roberto@connexer.com>
Date: Thu, 18 Dec 2025 16:59:45 -0500
Message-id: <[🔎] 176609518564.328143.15443124434993866335.reportbug@miami.connexer.com>
Reply-to: "Roberto C. Sanchez" <roberto@connexer.com>, 1123625@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org@packages.debian.org
Usertags: pu

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

[ Reason ]
This update fixes CVE-2025-12119:

mongoc_bulk_operation_t may read invalid memory if large options are
passed

[ Impact ]
Users and applications integrating mongo-c-driver components may be
vulnerable to a potential security issue.

[ Tests ]
The affected/changed code went through multiple upstream code reviews.
Also, accompanying unit tests were implemented and executed in
upstream's extensive CI environment.

[ Risks ]
Code changes are small and low risk. There are no work arounds.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Backport upstream patch from
https://github.com/mongodb/mongo-c-driver/commit/27419bebfa8c0772e220592c86cf700b1ce2995d
(only trivial changes were required, to account for small changes in the
context lines in two instances)

[ Other info ]
N/A


-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEIYZ1DR4ae5UL01q7ldFmTdL1kUIFAmlEeVEACgkQldFmTdL1
kUL3fBAAilVG0crjIEToojbCN9qslCiWljgNe0YmMuNwX1yEiAv/NZn70D2tItGB
yeb+gbg5vJv/wALtQE53IocleCmEjNCjCa2RKmjgLZUFHUai7iSLjues/3OBFZyl
Ph5yK2haxQccM5oY8XR/Qlh5/qlrBJbIEBp7mTcSQpHu/LfZ7Os5etjzhdj5s220
wPT2j8fs0Z4RxLsTYc1QV9Y5HgmLiYWUDx2f9HFcmGAl3P6rshIoWDVuQpIOP70k
ynrx4v5Pu/GurgieVJee7nLRh9J607yBl8wPEPHihOcJD/CAQ3v8Iojgw+Lj4NOA
7hr8Z4kVzPdObSi7jF/gJzOz5NLc1BHnjdHp2+8+RQgEHje5Ysq2uq2e9NuedE3A
YXN5+DQK6+iYbhlgLFSMHfLulx/mQ/DxHhrc9PRIlX5LRBFItL3UYvuhfAFzVnNw
lOn1JokbMaHvlsJl8Z1usUIeTIkNhxm0UWn6MOtDvhthOHeRw5W2OKkx5GSQbDmn
rzijrG4utrHsBWdeVbT8HJ25pYS2Ou+6R6DVp+0pZmJFGSRSYOTQ0cM1CkJn7rJw
57v12LM44X3gOICdhXUHjiLoNBFMmk6wAZRs0cHmQtP0FSIQ6mFSZAbK2oC/GA5z
akqkEUCJmkEpF3zAcs1HhWy3o0/n7g5gcapDOywnhDBRsqTRLg4=
=M4ze
-----END PGP SIGNATURE-----

diff -Nru mongo-c-driver-1.23.1/debian/changelog mongo-c-driver-1.23.1/debian/changelog
--- mongo-c-driver-1.23.1/debian/changelog	2025-04-18 16:28:00.000000000 -0400
+++ mongo-c-driver-1.23.1/debian/changelog	2025-12-18 15:54:33.000000000 -0500
@@ -1,3 +1,10 @@
+mongo-c-driver (1.23.1-1+deb12u2) bookworm; urgency=medium
+
+  * Fix CVE-2025-12119: mongoc_bulk_operation_t may read invalid memory if
+    large options are passed.
+
+ -- Roberto C. Sanchez <roberto@connexer.com>  Thu, 18 Dec 2025 15:54:33 -0500
+
 mongo-c-driver (1.23.1-1+deb12u1) bookworm; urgency=medium
 
   * Fix CVE-2023-0437: When calling bson_utf8_validate on some inputs a loop
diff -Nru mongo-c-driver-1.23.1/debian/patches/CVE-2025-12119.patch mongo-c-driver-1.23.1/debian/patches/CVE-2025-12119.patch
--- mongo-c-driver-1.23.1/debian/patches/CVE-2025-12119.patch	1969-12-31 19:00:00.000000000 -0500
+++ mongo-c-driver-1.23.1/debian/patches/CVE-2025-12119.patch	2025-12-18 15:54:33.000000000 -0500
@@ -0,0 +1,151 @@
+From 27419bebfa8c0772e220592c86cf700b1ce2995d Mon Sep 17 00:00:00 2001
+From: Kevin Albertson <kevin.albertson@mongodb.com>
+Date: Mon, 6 Oct 2025 11:38:22 -0400
+Subject: [PATCH] CDRIVER-6112 fix ownership transfer of
+ `mongoc_write_command_t` (#2132) (#2137)
+
+* add regression test
+* do not memcpy `bson_t` struct in array
+  * `memcpy` does not correctly transfer ownership of `bson_t`. Instead: heap allocate `bson_t`.
+* warn against using `bson_t` in `mongoc_array_t`
+---
+ src/libmongoc/src/mongoc/mongoc-array-private.h         |    3 
+ src/libmongoc/src/mongoc/mongoc-write-command-private.h |    2 
+ src/libmongoc/src/mongoc/mongoc-write-command.c         |   10 +-
+ src/libmongoc/tests/test-mongoc-bulk.c                  |   56 ++++++++++++++++
+ 4 files changed, 65 insertions(+), 6 deletions(-)
+
+--- a/src/libmongoc/src/mongoc/mongoc-array-private.h
++++ b/src/libmongoc/src/mongoc/mongoc-array-private.h
+@@ -25,6 +25,9 @@
+ BSON_BEGIN_DECLS
+ 
+ 
++// mongoc_array_t stores an array of objects of type T.
++//
++// T must be trivially relocatable. In particular, `bson_t` is not trivially relocatable (CDRIVER-6113).
+ typedef struct _mongoc_array_t mongoc_array_t;
+ 
+ 
+--- a/src/libmongoc/src/mongoc/mongoc-write-command-private.h
++++ b/src/libmongoc/src/mongoc/mongoc-write-command-private.h
+@@ -61,7 +61,7 @@
+    uint32_t n_documents;
+    mongoc_bulk_write_flags_t flags;
+    int64_t operation_id;
+-   bson_t cmd_opts;
++   bson_t *cmd_opts;
+ } mongoc_write_command_t;
+ 
+ 
+--- a/src/libmongoc/src/mongoc/mongoc-write-command.c
++++ b/src/libmongoc/src/mongoc/mongoc-write-command.c
+@@ -183,9 +183,9 @@
+    command->flags = flags;
+    command->operation_id = operation_id;
+    if (!bson_empty0 (opts)) {
+-      bson_copy_to (opts, &command->cmd_opts);
++      command->cmd_opts = bson_copy (opts);
+    } else {
+-      bson_init (&command->cmd_opts);
++      command->cmd_opts = bson_new ();
+    }
+ 
+    _mongoc_buffer_init (&command->payload, NULL, 0, NULL, NULL);
+@@ -501,7 +501,7 @@
+          ? MONGOC_CMD_PARTS_ALLOW_TXN_NUMBER_NO
+          : MONGOC_CMD_PARTS_ALLOW_TXN_NUMBER_YES;
+ 
+-   BSON_ASSERT (bson_iter_init (&iter, &command->cmd_opts));
++   BSON_ASSERT (bson_iter_init (&iter, command->cmd_opts));
+    if (!mongoc_cmd_parts_append_opts (
+           &parts, &iter, server_stream->sd->max_wire_version, error)) {
+       bson_destroy (&cmd);
+@@ -724,7 +724,7 @@
+    ret = mongoc_cmd_parts_set_write_concern (
+       parts, write_concern, server_stream->sd->max_wire_version, error);
+    if (ret) {
+-      BSON_ASSERT (bson_iter_init (&iter, &command->cmd_opts));
++      BSON_ASSERT (bson_iter_init (&iter, command->cmd_opts));
+       ret = mongoc_cmd_parts_append_opts (
+          parts, &iter, server_stream->sd->max_wire_version, error);
+    }
+@@ -1095,7 +1095,7 @@
+    ENTRY;
+ 
+    if (command) {
+-      bson_destroy (&command->cmd_opts);
++      bson_destroy (command->cmd_opts);
+       _mongoc_buffer_destroy (&command->payload);
+    }
+ 
+--- a/src/libmongoc/tests/test-mongoc-bulk.c
++++ b/src/libmongoc/tests/test-mongoc-bulk.c
+@@ -4934,6 +4934,55 @@
+ }
+ 
+ 
++// `test_bulk_big_let` tests a bulk operation with a large let document to reproduce CDRIVER-6112:
++static void
++test_bulk_big_let (void *unused)
++{
++   BSON_UNUSED (unused);
++
++   mongoc_client_t *client = test_framework_new_default_client ();
++   mongoc_collection_t *coll = get_test_collection (client, "test_big_let");
++   bson_error_t error;
++
++   // Create bulk operation similar to PHP driver:
++   mongoc_bulk_operation_t *bulk = mongoc_bulk_operation_new (true /* ordered */);
++
++   // Set a large `let`: { "testDocument": { "a": "aaa..." } }
++   {
++      bson_t let = BSON_INITIALIZER, testDocument;
++      bson_append_document_begin (&let, "testDocument", -1, &testDocument);
++
++      // Append big string:
++      {
++         size_t num_chars = 79;
++         char *big_string = bson_malloc0 (num_chars + 1);
++         memset (big_string, 'a', num_chars);
++         BSON_APPEND_UTF8 (&testDocument, "a", big_string);
++         bson_free (big_string);
++      }
++
++      bson_append_document_end (&let, &testDocument);
++      mongoc_bulk_operation_set_let (bulk, &let);
++      bson_destroy (&let);
++   }
++
++
++   mongoc_bulk_operation_set_client (bulk, client);
++   mongoc_bulk_operation_set_database (bulk, "db");
++   mongoc_bulk_operation_set_collection (bulk, "coll");
++
++   mongoc_bulk_operation_update (
++      bulk, tmp_bson ("{'_id': 1}"), tmp_bson ("{'$set': {'document': '$$testDocument'}}"), true);
++
++
++   ASSERT_OR_PRINT (mongoc_bulk_operation_execute (bulk, NULL, &error), error);
++
++   mongoc_bulk_operation_destroy (bulk);
++   mongoc_collection_destroy (coll);
++   mongoc_client_destroy (client);
++}
++
++
+ void
+ test_bulk_install (TestSuite *suite)
+ {
+@@ -5230,4 +5279,11 @@
+       suite, "/BulkOperation/opts/let", test_bulk_let);
+    TestSuite_AddMockServerTest (
+       suite, "/BulkOperation/opts/let/multi", test_bulk_let_multi);
++   TestSuite_AddFull (
++      suite,
++      "/BulkOperation/big_let",
++      test_bulk_big_let,
++      NULL,
++      NULL,
++      test_framework_skip_if_max_wire_version_less_than_13 /* 5.0+ for 'let' support in CRUD commands */);
+ }
diff -Nru mongo-c-driver-1.23.1/debian/patches/series mongo-c-driver-1.23.1/debian/patches/series
--- mongo-c-driver-1.23.1/debian/patches/series	2025-04-18 16:28:00.000000000 -0400
+++ mongo-c-driver-1.23.1/debian/patches/series	2025-12-18 15:54:33.000000000 -0500
@@ -2,3 +2,4 @@
 CVE-2024-6381.patch
 CVE-2024-6383.patch
 CVE-2025-0755.patch
+CVE-2025-12119.patch

Reply to:

Follow-Ups:
- Bug#1123625: mongo-c-driver 1.23.1-1+deb12u2 flagged for acceptance
  - From: Jonathan Wiltshire <jmw@debian.org>

Prev by Date: Bug#1123074: release.debian.org: Help doxygen migrate to testing
Next by Date: Bug#1123626: trixie-pu: package mongo-c-driver/1.30.4-1+deb13u1
Previous by thread: Processed: libreoffice 7.4.7-1+deb12u10 flagged for acceptance
Next by thread: Bug#1123625: mongo-c-driver 1.23.1-1+deb12u2 flagged for acceptance
Index(es):
- Date
- Thread