Bug#1104705: bookworm-pu: package libbson-xs-perl/0.8.4-2+deb12u1
Roberto C. Sanchez
roberto at connexer.com
Sun May 4 23:22:23 BST 2025
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org at packages.debian.org
Usertags: pu
X-Debbugs-Cc: libbson-xs-perl at packages.debian.org
Control: affects -1 + src:libbson-xs-perl
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
[ Reason ]
Fix an assortment of <no-dsa> CVEs.
[ Impact ]
Without this update some memory corruption and application crash
vulnerabilities will remain unresolved.
[ Tests ]
The patches are cherry-picks of the relevant upstream commits, with some
minor tweaks required during backporting to the older libbson code
embedded in this package. The upstream commits have passed through
extensive CI upstream and they have been available to users for between
6 months and 7 years (via upstream releases of mongo-c-driver and/or
libbson, which include the fixes and the correspondending packages in
Debian unstable/testing).
[ Risks ]
The risks are low. The 6 patches themselves in aggregate have the
following extent:
4 files changed, 43 insertions(+), 13 deletions(-)
Additionally, 4 of the 6 patches have been recently re-examined as part
of backporting them to mongo-c-driver/1.23.1-1+deb12u1.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[*] the issue is verified as fixed in unstable
* libbson-xs-perl is removed from unstable, so this is N/A
[ Changes ]
CVE-2017-14227: Check for zero string length (cherry-picked, ignoring
test-specific changes and accounting for whitespace differences)
CVE-2018-16790: Verify bounds before binary length read (cherry-picked,
ignoring test-specific changes and accounting for whitespace
differences)
CVE-2023-0437: change type of loop indices to guard against overflow
(cherry-picked with no changes required)
CVE-2024-6381: iterate over a NULL-terminated string using a pointer
(checking for the NULL to know when to stop) rather than an integer
index (cherry-picked with no non-whitespace changes required)
CVE-2024-6383: keep track of allocated string size during allocation and
append operations to guard against buffer overflow and memory corruption
(backported with adjustments to whitespace and for using primitives for
bounds checking, rather than convenience macros introduced in later
upstream versions)
CVE-2025-0755: keep track of allocated string size during append
operations to guard against buffer overflow and memory corruption
(cherry-picked with adjustments for using primitives for bounds
checking, rather than convenience macros introduced in later upstream
versions)
[ Other info ]
No further information.
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEIYZ1DR4ae5UL01q7ldFmTdL1kUIFAmgX6J8ACgkQldFmTdL1
kULYexAAwiMGM2IczF09ImPUzjFVs6YTVhLvPNLsPSnmhhXK1GYpFEVU0UD8r0JM
avh4n+664MpJ5ft229CS1nJfFpE9/W9nyuwHW13LuGo51fB0iszoomWGmef0d70S
WqTH5bUKDcaXSP0t6vzL8mC213DWlU41FKcbLYXz/ujLRz24J7WdT0+joJHqyFvB
JC4gzJBZMmoAPqSn4ZfakDpRvHynUVxyCwM9r9PO4GuRd7KRrOCTZivz/6gy9xR7
Rf/zD+6GI3Yr56FH4Rxy6yt5Ff4BPXjgWpaCTusNaZZYUHMq/G9jqUzWlYDgtxHw
Mye3xYhfbLWy4jGLLFdY0RP4kFH5ifl2lGoJvUQ1H6pLXVaVuvBWoMHjEKxLX1af
FXFeAGaNOC/bf9atsRIxYXMIPa/aD7jSFbG0cAsrlFqmu3NU1NrUx2l+ebMpENk2
GxSJm+yud8n9W5auw1zEkoLBr+DQntwdNNa6IoEuln0SaWKXwiZCsyuzhBR6hdkk
amXmi2QX1xvz5dncWh7PBEkvoUEjlWp7YFXLaEpaEPFgxykHlkY9rAKTLK0MFuTm
55roVXQ041RryjDiqtCdiTBOwZVi8IZg4PgEurcDE7FH26XsL46c8+RojrBf2VoY
mEEuV8R1fvud3TpZvhPkuGDUl61fUVkWjn7qrrSgmpudqD9K2oA=
=H6xS
-----END PGP SIGNATURE-----
-------------- next part --------------
diff -Nru libbson-xs-perl-0.8.4/debian/changelog libbson-xs-perl-0.8.4/debian/changelog
--- libbson-xs-perl-0.8.4/debian/changelog 2022-11-19 15:12:44.000000000 -0500
+++ libbson-xs-perl-0.8.4/debian/changelog 2025-05-03 16:43:49.000000000 -0400
@@ -1,3 +1,33 @@
+libbson-xs-perl (0.8.4-2+deb12u1) bookworm; urgency=medium
+
+ * Non-maintainer upload.
+ * Fix security issues in embedded copy of libbson:
+ + CVE-2017-14227: the bson_iter_codewscope function in bson-iter.c
+ miscalculates a bson_utf8_validate length argument, which allows remote
+ attackers to cause a denial of service (heap-based buffer over-read in the
+ bson_utf8_validate function in bson-utf8.c), as demonstrated by
+ bson-to-json.c.
+ + CVE-2018-16790: _bson_iter_next_internal has a heap-based buffer over-read
+ via a crafted bson buffer.
+ + CVE-2023-0437: When calling bson_utf8_validate on some inputs a loop
+ with an exit condition that cannot be reached may occur, i.e. an infinite
+ loop.
+ + CVE-2024-6381: The bson_strfreev function in the MongoDB C driver
+ library may be susceptible to an integer overflow where the function will
+ try to free memory at a negative offset. This may result in memory
+ corruption.
+ + CVE-2024-6383: The bson_string_append function in MongoDB C Driver may
+ be vulnerable to a buffer overflow where the function might attempt to
+ allocate too small of buffer and may lead to memory corruption of
+ neighbouring heap memory.
+ + CVE-2025-0755: The various bson_append functions in the MongoDB C
+ driver library may be susceptible to buffer overflow when performing
+ operations that could result in a final BSON document which exceeds the
+ maximum allowable size (INT32_MAX), resulting in a segmentation fault and
+ possible application crash.
+
+ -- Roberto C. S?nchez <roberto at debian.org> Sat, 03 May 2025 16:43:49 -0400
+
libbson-xs-perl (0.8.4-2) unstable; urgency=medium
[ Yadd ]
diff -Nru libbson-xs-perl-0.8.4/debian/gbp.conf libbson-xs-perl-0.8.4/debian/gbp.conf
--- libbson-xs-perl-0.8.4/debian/gbp.conf 2022-11-19 15:12:44.000000000 -0500
+++ libbson-xs-perl-0.8.4/debian/gbp.conf 2025-05-03 16:43:49.000000000 -0400
@@ -1,5 +1,6 @@
[DEFAULT]
pristine-tar = True
+debian-branch = debian/bookworm
[import-orig]
filter = [ '.gitignore', '.travis.yml', '.git*' ]
diff -Nru libbson-xs-perl-0.8.4/debian/patches/CVE-2017-14227.patch libbson-xs-perl-0.8.4/debian/patches/CVE-2017-14227.patch
--- libbson-xs-perl-0.8.4/debian/patches/CVE-2017-14227.patch 1969-12-31 19:00:00.000000000 -0500
+++ libbson-xs-perl-0.8.4/debian/patches/CVE-2017-14227.patch 2025-05-03 16:43:49.000000000 -0400
@@ -0,0 +1,36 @@
+From 42900956dc461dfe7fb91d93361d10737c1602b3 Mon Sep 17 00:00:00 2001
+From: Kevin Albertson <kevin.albertson at 10gen.com>
+Date: Fri, 8 Sep 2017 10:47:10 -0400
+Subject: [PATCH] CDRIVER-2269 Check for zero string length in codewscope
+
+Origin: backport, https://github.com/mongodb/libbson/commit/42900956dc461dfe7fb91d93361d10737c1602b3
+---
+ src/bson/bson-iter.c | 35 +++++++++++----------
+ tests/binary/cdriver2269.bson | Bin 0 -> 28 bytes
+ bson/bson-iter.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+ create mode 100644 tests/binary/cdriver2269.bson
+
+--- a/bson/bson-iter.c
++++ b/bson/bson-iter.c
+@@ -671,7 +671,7 @@
+ memcpy (&l, iter->raw + iter->d2, sizeof (l));
+ l = BSON_UINT32_FROM_LE (l);
+
+- if (l >= (len - o - 4 - 4)) {
++ if (l == 0 || l >= (len - o - 4 - 4)) {
+ iter->err_off = o;
+ goto mark_invalid;
+ }
+@@ -1312,7 +1312,10 @@
+ if (ITER_TYPE (iter) == BSON_TYPE_CODEWSCOPE) {
+ if (length) {
+ memcpy (&len, iter->raw + iter->d2, sizeof (len));
+- *length = BSON_UINT32_FROM_LE (len) - 1;
++ /* The string length was checked > 0 in _bson_iter_next_internal. */
++ len = BSON_UINT32_FROM_LE (len);
++ BSON_ASSERT (len > 0);
++ *length = len - 1;
+ }
+
+ memcpy (&len, iter->raw + iter->d4, sizeof (len));
diff -Nru libbson-xs-perl-0.8.4/debian/patches/CVE-2018-16790.patch libbson-xs-perl-0.8.4/debian/patches/CVE-2018-16790.patch
--- libbson-xs-perl-0.8.4/debian/patches/CVE-2018-16790.patch 1969-12-31 19:00:00.000000000 -0500
+++ libbson-xs-perl-0.8.4/debian/patches/CVE-2018-16790.patch 2025-05-03 16:43:49.000000000 -0400
@@ -0,0 +1,36 @@
+From 0d9a4d98bfdf4acd2c0138d4aaeb4e2e0934bd84 Mon Sep 17 00:00:00 2001
+From: Scott Gayou <sgayou at redhat.com>
+Date: Fri, 14 Sep 2018 11:55:11 -0500
+Subject: [PATCH] Fix for CVE-2018-16790 -- Verify bounds before binary length
+ read.
+
+As reported here: https://jira.mongodb.org/browse/CDRIVER-2819,
+a heap overread occurs due a failure to correctly verify data
+bounds.
+
+In the original check, len - o returns the data left including the
+sizeof(l) we just read. Instead, the comparison should check
+against the data left NOT including the binary int32, i.e. just
+subtype (byte*) instead of int32 subtype (byte*).
+
+Added in test for corrupted BSON example.
+
+Origin: backport, https://github.com/mongodb/mongo-c-driver/commit/0d9a4d98bfdf4acd2c0138d4aaeb4e2e0934bd84
+---
+ src/libbson/src/bson/bson-iter.c | 2 +-
+ src/libbson/tests/binary/test59.bson | Bin 0 -> 17 bytes
+ bson/bson-iter.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+ create mode 100644 src/libbson/tests/binary/test59.bson
+
+--- a/bson/bson-iter.c
++++ b/bson/bson-iter.c
+@@ -526,7 +526,7 @@
+ memcpy (&l, iter->raw + iter->d1, sizeof (l));
+ l = BSON_UINT32_FROM_LE (l);
+
+- if (l >= (len - o)) {
++ if (l >= (len - o - 4)) {
+ iter->err_off = o;
+ goto mark_invalid;
+ }
diff -Nru libbson-xs-perl-0.8.4/debian/patches/CVE-2023-0437.patch libbson-xs-perl-0.8.4/debian/patches/CVE-2023-0437.patch
--- libbson-xs-perl-0.8.4/debian/patches/CVE-2023-0437.patch 1969-12-31 19:00:00.000000000 -0500
+++ libbson-xs-perl-0.8.4/debian/patches/CVE-2023-0437.patch 2025-05-03 16:43:49.000000000 -0400
@@ -0,0 +1,29 @@
+From fd3a978b35cac8f3c78c4d9a1b08fd5aa4d440b8 Mon Sep 17 00:00:00 2001
+From: Kevin Albertson <kevin.albertson at mongodb.com>
+Date: Mon, 30 Oct 2023 18:01:30 +0000
+Subject: [PATCH] CDRIVER-4747 use `size_t` consistently in
+ `bson_utf8_validate` (#1458)
+
+Origin: https://github.com/mongodb/mongo-c-driver/commit/fd3a978b35cac8f3c78c4d9a1b08fd5aa4d440b8
+---
+ src/libbson/src/bson/bson-utf8.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/bson/bson-utf8.c b/bson/bson-utf8.c
+index d7e9168c96..ac7a1bddfe 100644
+--- a/bson/bson-utf8.c
++++ b/bson/bson-utf8.c
+@@ -118,8 +118,8 @@ bson_utf8_validate (const char *utf8, /* IN */
+ bson_unichar_t c;
+ uint8_t first_mask;
+ uint8_t seq_length;
+- unsigned i;
+- unsigned j;
++ size_t i;
++ size_t j;
+
+ BSON_ASSERT (utf8);
+
+--
+2.39.5
+
diff -Nru libbson-xs-perl-0.8.4/debian/patches/CVE-2024-6381.patch libbson-xs-perl-0.8.4/debian/patches/CVE-2024-6381.patch
--- libbson-xs-perl-0.8.4/debian/patches/CVE-2024-6381.patch 1969-12-31 19:00:00.000000000 -0500
+++ libbson-xs-perl-0.8.4/debian/patches/CVE-2024-6381.patch 2025-05-03 16:43:49.000000000 -0400
@@ -0,0 +1,29 @@
+From effd95c34ad421df94eec7c69236f0e4172552d0 Mon Sep 17 00:00:00 2001
+From: Ezra Chung <88335979+eramongodb at users.noreply.github.com>
+Date: Fri, 8 Mar 2024 13:09:07 -0600
+Subject: [PATCH] CDRIVER-5504 Use pointer-based iteration when traversing
+ array elements (#1552)
+
+Origin: https://github.com/mongodb/mongo-c-driver/commit/effd95c34ad421df94eec7c69236f0e4172552d0
+---
+ bson/bson-string.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/bson/bson-string.c
++++ b/bson/bson-string.c
+@@ -491,11 +491,11 @@
+ void
+ bson_strfreev (char **str) /* IN */
+ {
+- int i;
+-
+ if (str) {
+- for (i = 0; str [i]; i++)
+- bson_free (str [i]);
++ for (char **ptr = str; *ptr != NULL; ++ptr) {
++ bson_free (*ptr);
++ }
++
+ bson_free (str);
+ }
+ }
diff -Nru libbson-xs-perl-0.8.4/debian/patches/CVE-2024-6383.patch libbson-xs-perl-0.8.4/debian/patches/CVE-2024-6383.patch
--- libbson-xs-perl-0.8.4/debian/patches/CVE-2024-6383.patch 1969-12-31 19:00:00.000000000 -0500
+++ libbson-xs-perl-0.8.4/debian/patches/CVE-2024-6383.patch 2025-05-03 16:43:49.000000000 -0400
@@ -0,0 +1,68 @@
+From 7c34461863211be172e6317221d72e4429bed45e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Roberto=20C=2E=20S=C3=A1nchez?= <roberto at connexer.com>
+Date: Fri, 3 May 2024 15:30:45 -0400
+Subject: [PATCH] CDRIVER-5552 more robust string handling (#1593)
+
+Co-authored-by: Kevin Albertson <kevin.albertson at 10gen.com>
+
+Origin: https://github.com/mongodb/mongo-c-driver/commit/7c34461863211be172e6317221d72e4429bed45e
+---
+ bson/bson-string.c | 24 ++++++++++++++++++++----
+ 1 file changed, 20 insertions(+), 4 deletions(-)
+
+--- a/bson/bson-string.c
++++ b/bson/bson-string.c
+@@ -57,16 +57,25 @@
+ bson_string_new (const char *str) /* IN */
+ {
+ bson_string_t *ret;
++ size_t len_sz;
+
+ ret = bson_malloc0 (sizeof *ret);
+- ret->len = str ? (int)strlen (str) : 0;
++ if (str) {
++ len_sz = strlen (str);
++ BSON_ASSERT (len_sz <= UINT32_MAX);
++ ret->len = (uint32_t) len_sz;
++ } else {
++ ret->len = 0;
++ }
+ ret->alloc = ret->len + 1;
+
+ if (!bson_is_power_of_two (ret->alloc)) {
+- ret->alloc = (uint32_t)bson_next_power_of_two ((size_t)ret->alloc);
++ len_sz = bson_next_power_of_two ((size_t) ret->alloc);
++ BSON_ASSERT (len_sz <= UINT32_MAX);
++ ret->alloc = (uint32_t) len_sz;
+ }
+
+- BSON_ASSERT (ret->alloc >= 1);
++ BSON_ASSERT (ret->alloc >= ret->len + 1);
+
+ ret->str = bson_malloc (ret->alloc);
+
+@@ -142,16 +151,23 @@
+ const char *str) /* IN */
+ {
+ uint32_t len;
++ size_t len_sz;
+
+ BSON_ASSERT (string);
+ BSON_ASSERT (str);
+
+ len = (uint32_t)strlen (str);
++ len_sz = strlen (str);
++ BSON_ASSERT (len_sz <= UINT32_MAX);
++ len = (uint32_t) len_sz;
+
+ if ((string->alloc - string->len - 1) < len) {
++ BSON_ASSERT (string->alloc <= UINT32_MAX - len);
+ string->alloc += len;
+ if (!bson_is_power_of_two (string->alloc)) {
+- string->alloc = (uint32_t)bson_next_power_of_two ((size_t)string->alloc);
++ len_sz = bson_next_power_of_two ((size_t) string->alloc);
++ BSON_ASSERT (len_sz <= UINT32_MAX);
++ string->alloc = (uint32_t) len_sz;
+ }
+ string->str = bson_realloc (string->str, string->alloc);
+ }
diff -Nru libbson-xs-perl-0.8.4/debian/patches/CVE-2025-0755.patch libbson-xs-perl-0.8.4/debian/patches/CVE-2025-0755.patch
--- libbson-xs-perl-0.8.4/debian/patches/CVE-2025-0755.patch 1969-12-31 19:00:00.000000000 -0500
+++ libbson-xs-perl-0.8.4/debian/patches/CVE-2025-0755.patch 2025-05-03 16:43:49.000000000 -0400
@@ -0,0 +1,34 @@
+From d3cdb626be30748b9360451023c75438ec346a38 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Roberto=20C=2E=20S=C3=A1nchez?= <roberto at connexer.com>
+Date: Tue, 16 Jul 2024 16:15:16 -0400
+Subject: [PATCH] CDRIVER-5601 more robust bson append (#1648)
+
+Co-authored-by: Kevin Albertson <kevin.albertson at 10gen.com>
+Co-authored-by: Ezra Chung <88335979+eramongodb at users.noreply.github.com>
+
+Origin: https://github.com/mongodb/mongo-c-driver/commit/d3cdb626be30748b9360451023c75438ec346a38
+---
+ bson/bson.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/bson/bson.c
++++ b/bson/bson.c
+@@ -321,7 +321,18 @@
+
+ buf = _bson_data (bson) + bson->len - 1;
+
++ /* Track running sum of bytes written in a uint64_t to detect possible overflow of `n_bytes`. */
++ uint64_t n_bytes_sum = 0;
+ do {
++ // Size of any individual data being appended should not exceed the total byte limit.
++ if (BSON_UNLIKELY (n_bytes < data_len)) {
++ return false;
++ }
++ // Total size of data being appended should not exceed the total byte limit.
++ if (BSON_UNLIKELY (n_bytes_sum > n_bytes - data_len)) {
++ return false;
++ }
++ n_bytes_sum += data_len;
+ n_pairs--;
+ memcpy (buf, data, data_len);
+ bson->len += data_len;
diff -Nru libbson-xs-perl-0.8.4/debian/patches/series libbson-xs-perl-0.8.4/debian/patches/series
--- libbson-xs-perl-0.8.4/debian/patches/series 1969-12-31 19:00:00.000000000 -0500
+++ libbson-xs-perl-0.8.4/debian/patches/series 2025-05-03 16:43:49.000000000 -0400
@@ -0,0 +1,6 @@
+CVE-2017-14227.patch
+CVE-2018-16790.patch
+CVE-2023-0437.patch
+CVE-2024-6381.patch
+CVE-2024-6383.patch
+CVE-2025-0755.patch
More information about the pkg-perl-maintainers
mailing list