--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: trixie-pu: package mongo-c-driver/1.30.4-1+deb13u1
- From: "Roberto C. Sanchez" <roberto@connexer.com>
- Date: Thu, 18 Dec 2025 16:57:50 -0500
- Message-id: <176609507055.327782.16538968825987565534.reportbug@miami.connexer.com>
Package: release.debian.org
Severity: normal
Tags: trixie
User: release.debian.org@packages.debian.org
Usertags: pu
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
[ Reason ]
This update fixes CVE-2025-12119:
mongoc_bulk_operation_t may read invalid memory if large options are
passed
[ Impact ]
Users and applications integrating mongo-c-driver components may be
vulnerable to a potential security issue.
[ Tests ]
The affected/changed code went through multiple upstream code reviews.
Also, accompanying unit tests were implemented and executed in
upstream's extensive CI environment.
[ Risks ]
Code changes are small and low risk. There are no work arounds.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
Backport upstream patch from
https://github.com/mongodb/mongo-c-driver/commit/27419bebfa8c0772e220592c86cf700b1ce2995d
(no changes required for backporting)
[ Other info ]
N/A
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEIYZ1DR4ae5UL01q7ldFmTdL1kUIFAmlEeN4ACgkQldFmTdL1
kUKK8xAAr7jhJ9PLzUQ1CryKr2gzigM51U0pqCdmIvZJQM0eKI8bP6snIoj/qcWA
HXt0BuEHJxAhLpsEbenimKgyCjoted45hEoccdjhnHGkAWdusBF0Lbab6c6Qt76m
2gBms9S1rEE4Q9ONZS4UCdU40aqC0BxVJkGtDKZT3TYqscvlhsNX9EvrZbOsmM9y
zThRlzHFbsrvpbfXzodIQQISlni9NOoAmF4L06M1bRwd4OB9GiAOl1c3xRXU1N3R
kRM6Rk/X7L/6RMTmIdOmo9fI9czTiT/D0hI9y6VUY2L7lxfIGBEDuhGV5JqLVZWl
Z4Z9u4B91l3Vyg3tl4DSo3jyleScgrUrhqV7A6Spdkd3RXOxZXJ0oL+jXNGPsMOw
C8/OdZDWxoPi4Hzyp1dgCursdSHfc5pOmTxqB9eFVfSDXB+k3jOhZGZRDyzlUcHw
Ld1QPfp3rz8SL2XE8LcLbtXQtOmG0r5X+Lk3fuNd+BdgGhDB+0aG6ZCyR9VzRckY
TUQ1nGJb5p32EYn0ZBfsUczDgfqIKQI0chhOBDwB6Q+MLdjQgbTY+0veMRE5bkRD
S/zFr2qb9sM04C2JIfRqSYjOofBXp+rnyQjtiCBSHt8D9QAWl1ev/pDU4t/CHRAP
Sxbn+un66jDhQPoCMJ/ixYiN1boz48j8Tr3n1iLASncy1/BOiN8=
=tZpt
-----END PGP SIGNATURE-----
diff -Nru mongo-c-driver-1.30.4/debian/changelog mongo-c-driver-1.30.4/debian/changelog
--- mongo-c-driver-1.30.4/debian/changelog 2025-05-07 15:11:43.000000000 -0400
+++ mongo-c-driver-1.30.4/debian/changelog 2025-12-18 14:50:07.000000000 -0500
@@ -1,3 +1,10 @@
+mongo-c-driver (1.30.4-1+deb13u1) trixie; urgency=medium
+
+ * Fix CVE-2025-12119: mongoc_bulk_operation_t may read invalid memory if
+ large options are passed.
+
+ -- Roberto C. Sanchez <roberto@connexer.com> Thu, 18 Dec 2025 14:50:07 -0500
+
mongo-c-driver (1.30.4-1) unstable; urgency=medium
* New upstream release
diff -Nru mongo-c-driver-1.30.4/debian/gbp.conf mongo-c-driver-1.30.4/debian/gbp.conf
--- mongo-c-driver-1.30.4/debian/gbp.conf 2025-05-07 15:11:43.000000000 -0400
+++ mongo-c-driver-1.30.4/debian/gbp.conf 2025-12-18 14:50:07.000000000 -0500
@@ -14,9 +14,9 @@
utf8proc_rm_files=\"$(find src/utf8proc-* -printf '%p ')\" &&
# Create upstream tarball from reference, exclude items that do not belong
pushd $GBP_GIT_DIR/.. &&
- git archive --format=tar --prefix=mongo-c-driver-\${upstream_version}/ HEAD | tar -f - --delete mongo-c-driver-\${upstream_version}/debian \$zlib_filter_files \$utf8proc_filter_files | gzip > $GBP_BUILD_DIR/../mongo-c-driver_\${upstream_version}.orig.tar.gz &&
+ ( [ -f $GBP_BUILD_DIR/../mongo-c-driver_\${upstream_version}.orig.tar.gz ] || git archive --format=tar --prefix=mongo-c-driver-\${upstream_version}/ HEAD | tar -f - --delete mongo-c-driver-\${upstream_version}/debian \$zlib_filter_files \$utf8proc_filter_files | gzip > $GBP_BUILD_DIR/../mongo-c-driver_\${upstream_version}.orig.tar.gz ) &&
popd &&
rm -rf \$zlib_rm_files \$utf8proc_rm_files"
upstream-tag = %(version)s
-debian-branch = debian/unstable
+debian-branch = debian/trixie
diff -Nru mongo-c-driver-1.30.4/debian/patches/CVE-2025-12119.patch mongo-c-driver-1.30.4/debian/patches/CVE-2025-12119.patch
--- mongo-c-driver-1.30.4/debian/patches/CVE-2025-12119.patch 1969-12-31 19:00:00.000000000 -0500
+++ mongo-c-driver-1.30.4/debian/patches/CVE-2025-12119.patch 2025-12-18 14:50:07.000000000 -0500
@@ -0,0 +1,153 @@
+From 27419bebfa8c0772e220592c86cf700b1ce2995d Mon Sep 17 00:00:00 2001
+From: Kevin Albertson <kevin.albertson@mongodb.com>
+Date: Mon, 6 Oct 2025 11:38:22 -0400
+Subject: [PATCH] CDRIVER-6112 fix ownership transfer of
+ `mongoc_write_command_t` (#2132) (#2137)
+
+* add regression test
+* do not memcpy `bson_t` struct in array
+ * `memcpy` does not correctly transfer ownership of `bson_t`. Instead: heap allocate `bson_t`.
+* warn against using `bson_t` in `mongoc_array_t`
+---
+ .../src/mongoc/mongoc-array-private.h | 3 +
+ .../src/mongoc/mongoc-write-command-private.h | 2 +-
+ .../src/mongoc/mongoc-write-command.c | 8 +--
+ src/libmongoc/tests/test-mongoc-bulk.c | 56 +++++++++++++++++++
+ 4 files changed, 64 insertions(+), 5 deletions(-)
+
+diff --git a/src/libmongoc/src/mongoc/mongoc-array-private.h b/src/libmongoc/src/mongoc/mongoc-array-private.h
+index 9956224b34..c8de6f1f52 100644
+--- a/src/libmongoc/src/mongoc/mongoc-array-private.h
++++ b/src/libmongoc/src/mongoc/mongoc-array-private.h
+@@ -25,6 +25,9 @@
+ BSON_BEGIN_DECLS
+
+
++// mongoc_array_t stores an array of objects of type T.
++//
++// T must be trivially relocatable. In particular, `bson_t` is not trivially relocatable (CDRIVER-6113).
+ typedef struct _mongoc_array_t mongoc_array_t;
+
+
+diff --git a/src/libmongoc/src/mongoc/mongoc-write-command-private.h b/src/libmongoc/src/mongoc/mongoc-write-command-private.h
+index 85121594e0..c1bf751e01 100644
+--- a/src/libmongoc/src/mongoc/mongoc-write-command-private.h
++++ b/src/libmongoc/src/mongoc/mongoc-write-command-private.h
+@@ -61,7 +61,7 @@ typedef struct {
+ uint32_t n_documents;
+ mongoc_bulk_write_flags_t flags;
+ int64_t operation_id;
+- bson_t cmd_opts;
++ bson_t *cmd_opts;
+ } mongoc_write_command_t;
+
+
+diff --git a/src/libmongoc/src/mongoc/mongoc-write-command.c b/src/libmongoc/src/mongoc/mongoc-write-command.c
+index a375d8f200..36f2470acb 100644
+--- a/src/libmongoc/src/mongoc/mongoc-write-command.c
++++ b/src/libmongoc/src/mongoc/mongoc-write-command.c
+@@ -143,9 +143,9 @@ _mongoc_write_command_init_bulk (
+ command->flags = flags;
+ command->operation_id = operation_id;
+ if (!bson_empty0 (opts)) {
+- bson_copy_to (opts, &command->cmd_opts);
++ command->cmd_opts = bson_copy (opts);
+ } else {
+- bson_init (&command->cmd_opts);
++ command->cmd_opts = bson_new ();
+ }
+
+ _mongoc_buffer_init (&command->payload, NULL, 0, NULL, NULL);
+@@ -671,7 +671,7 @@ _mongoc_write_opmsg (mongoc_write_command_t *command,
+ ? MONGOC_CMD_PARTS_ALLOW_TXN_NUMBER_NO
+ : MONGOC_CMD_PARTS_ALLOW_TXN_NUMBER_YES;
+
+- BSON_ASSERT (bson_iter_init (&iter, &command->cmd_opts));
++ BSON_ASSERT (bson_iter_init (&iter, command->cmd_opts));
+ if (!mongoc_cmd_parts_append_opts (&parts, &iter, error)) {
+ bson_destroy (&cmd);
+ mongoc_cmd_parts_cleanup (&parts);
+@@ -944,7 +944,7 @@ _mongoc_write_command_destroy (mongoc_write_command_t *command)
+ ENTRY;
+
+ if (command) {
+- bson_destroy (&command->cmd_opts);
++ bson_destroy (command->cmd_opts);
+ _mongoc_buffer_destroy (&command->payload);
+ }
+
+diff --git a/src/libmongoc/tests/test-mongoc-bulk.c b/src/libmongoc/tests/test-mongoc-bulk.c
+index 357893ce1c..e4666c1db3 100644
+--- a/src/libmongoc/tests/test-mongoc-bulk.c
++++ b/src/libmongoc/tests/test-mongoc-bulk.c
+@@ -4768,6 +4768,55 @@ test_bulk_write_set_client_updates_operation_id_when_client_changes (void)
+ mock_server_destroy (mock_server);
+ }
+
++// `test_bulk_big_let` tests a bulk operation with a large let document to reproduce CDRIVER-6112:
++static void
++test_bulk_big_let (void *unused)
++{
++ BSON_UNUSED (unused);
++
++ mongoc_client_t *client = test_framework_new_default_client ();
++ mongoc_collection_t *coll = get_test_collection (client, "test_big_let");
++ bson_error_t error;
++
++ // Create bulk operation similar to PHP driver:
++ mongoc_bulk_operation_t *bulk = mongoc_bulk_operation_new (true /* ordered */);
++
++ // Set a large `let`: { "testDocument": { "a": "aaa..." } }
++ {
++ bson_t let = BSON_INITIALIZER, testDocument;
++ bson_append_document_begin (&let, "testDocument", -1, &testDocument);
++
++ // Append big string:
++ {
++ size_t num_chars = 79;
++ char *big_string = bson_malloc0 (num_chars + 1);
++ memset (big_string, 'a', num_chars);
++ BSON_APPEND_UTF8 (&testDocument, "a", big_string);
++ bson_free (big_string);
++ }
++
++ bson_append_document_end (&let, &testDocument);
++ mongoc_bulk_operation_set_let (bulk, &let);
++ bson_destroy (&let);
++ }
++
++
++ mongoc_bulk_operation_set_client (bulk, client);
++ mongoc_bulk_operation_set_database (bulk, "db");
++ mongoc_bulk_operation_set_collection (bulk, "coll");
++
++ mongoc_bulk_operation_update (
++ bulk, tmp_bson ("{'_id': 1}"), tmp_bson ("{'$set': {'document': '$$testDocument'}}"), true);
++
++
++ ASSERT_OR_PRINT (mongoc_bulk_operation_execute (bulk, NULL, &error), error);
++
++ mongoc_bulk_operation_destroy (bulk);
++ mongoc_collection_destroy (coll);
++ mongoc_client_destroy (client);
++}
++
++
+ void
+ test_bulk_install (TestSuite *suite)
+ {
+@@ -4946,4 +4995,11 @@ test_bulk_install (TestSuite *suite)
+ TestSuite_AddMockServerTest (suite,
+ "/BulkOperation/set_client_updates_operation_id_when_client_changes",
+ test_bulk_write_set_client_updates_operation_id_when_client_changes);
++ TestSuite_AddFull (
++ suite,
++ "/BulkOperation/big_let",
++ test_bulk_big_let,
++ NULL,
++ NULL,
++ test_framework_skip_if_max_wire_version_less_than_13 /* 5.0+ for 'let' support in CRUD commands */);
+ }
+--
+2.39.5
+
diff -Nru mongo-c-driver-1.30.4/debian/patches/series mongo-c-driver-1.30.4/debian/patches/series
--- mongo-c-driver-1.30.4/debian/patches/series 2025-05-07 15:11:43.000000000 -0400
+++ mongo-c-driver-1.30.4/debian/patches/series 2025-12-18 14:50:07.000000000 -0500
@@ -1 +1,2 @@
0001_local_mathjax.diff
+CVE-2025-12119.patch
--- End Message ---