XPost: linux.debian.devel.release
This is a multi-part MIME message sent by reportbug.
Package: release.debian.org
Severity: normal
Tags: bookworm
User:
release.debian.org@packages.debian.org
Usertags: pu
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
[ Reason ]
Fix an assortment of <no-dsa> CVEs.
[ Impact ]
Without this update some memory corruption and application crash vulnerabilities will remain unresolved.
[ Tests ]
The patches are striaght cherry-picks of the relevant upstream commits,
which have passed through extensive CI upstream and they have been
available to users for between 6 and 18 months (both via upstream
releases which include the fixes and the correspondending packages in
Debian unstable/testing).
[ Risks ]
The risks are low. The 4 patches themselves in aggregate have the
following extent:
4 files changed, 38 insertions(+), 12 deletions(-)
The individual changes underwent substantial upstream scrutiny,
including code reviews by multiple developers, manual testing during development, and the aforementioned extensive CI.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
(Explain *all* the changes)
CVE-2023-0437: change type of loop indices to guard against overflow (cherry-picked with no changes required)
CVE-2024-6381: iterate over a NULL-terminated string using a pointer
(checking for the NULL to know when to stop) rather than an integer
index (cherry-picked with no changes required)
CVE-2024-6383: keep track of allocated string size during allocation and
append operations to guard against buffer overflow and memory corruption (backported with the only change being to related to handling changed whitespace)
CVE-2025-0755: keep track of allocated string size during append
operations to guard against buffer overflow and memory corruption (cherry-picked with no changes required)
[ Other info ]
I was the primary developer of 2 of the 4 patches, and I am very
confident in the team's processes around the other two patches. These
changes pose a minimal regression risk, if any at all.
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEIYZ1DR4ae5UL01q7ldFmTdL1kUIFAmgC68gACgkQldFmTdL1 kUKx/g//TH+AFzBn/IjkBqMw7O3Kjv6H+b2i6/hd3M7x1H0OQB7pitqfHZUgnrlo CPZXldG7Is9SgC6ZBPUP88l+yrQ+yqzVUZRtgVS9xukLVefRoeM1/L/SbOnWMwtd p5Sllk9EhN9qBNrmwBkDRJJRVmz8GdUpDcH6gOvzKAUTlPsQctQ734usk17SgUAo 6OJoHfhj6JKjgjSPHYOz2L7nK1CXEYmB96i4whKck1gTZYdhMSm5dL2yW+kURHal pHSX6ZptX65hoVAQvz7oVXvTaeb7zUsI70wZphb2fq30m7v62rdkcf712Cddv1vV UgbQSZzzJKsrLwuarQ22zWAMKOk0xK3Du2eerEhS4ZSEUj+WCUiiVPUHYnY6Vx4V O3ImesZybqGT/B5oiWlYKdyOXG+bXfhXXyq0/WPStGrTufJpsj9Fmhxo404kQ6j5 4iHEq9EpHj6KxbhpVd9gM35oMBaD+ik3sl/EMAFtHZv9bf+k9LFwd1L8VA5EtE/T LGFpLanvkyRhSq3fl/NSy6KQQdOVV4+hP729MVpVyEajVbYmQF/kCa8RawmUSTiM fC5TRMxrUYCR/DoPbzI+vxKHoXcDyUtrRQozMgv2EAEuapyDCnoz3ikYzYEH2ULr aMIs891fqubJIiFkV+2eSO6Yf02kiPoZ2PqesBRgsM6FJ8EocAY=
=1FUV
-----END PGP SIGNATURE-----
diff -Nru mongo-c-driver-1.23.1/debian/changelog mongo-c-driver-1.23.1/debian/changelog
--- mongo-c-driver-1.23.1/debian/changelog 2022-10-20 12:58:40.000000000 -0400
+++ mongo-c-driver-1.23.1/debian/changelog 2025-04-18 16:28:00.000000000 -0400
@@ -1,3 +1,24 @@
+mongo-c-driver (1.23.1-1+deb12u1) bookworm; urgency=medium
+
+ * Fix CVE-2023-0437: When calling bson_utf8_validate on some inputs a loop
+ with an exit condition that cannot be reached may occur, i.e. an infinite + loop.
+ * Fix CVE-2024-6381: The bson_strfreev function in the MongoDB C driver
+ library may be susceptible to an integer overflow where the function will + try to free memory at a negative offset. This may result in memory
+ corruption.
+ * Fix CVE-2024-6383: The bson_string_append function in MongoDB C Driver may + be vulnerable to a buffer overflow where the function might attempt to
+ allocate too small of buffer and may lead to memory corruption of
+ neighbouring heap memory.
+ * Fix CVE-2025-0755: The various bson_append functions in the MongoDB C
+ driver library may be