Version in base suite: 1.23.1-1 Base version: mongo-c-driver_1.23.1-1 Target version: mongo-c-driver_1.23.1-1+deb12u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/m/mongo-c-driver/mongo-c-driver_1.23.1-1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/m/mongo-c-driver/mongo-c-driver_1.23.1-1+deb12u1.dsc changelog | 21 ++++++++++++ gbp.conf | 7 +--- patches/CVE-2023-0437.patch | 29 ++++++++++++++++ patches/CVE-2024-6381.patch | 34 +++++++++++++++++++ patches/CVE-2024-6383.patch | 77 ++++++++++++++++++++++++++++++++++++++++++++ patches/CVE-2025-0755.patch | 39 ++++++++++++++++++++++ patches/series | 4 ++ 7 files changed, 207 insertions(+), 4 deletions(-) diff -Nru mongo-c-driver-1.23.1/debian/changelog mongo-c-driver-1.23.1/debian/changelog --- mongo-c-driver-1.23.1/debian/changelog 2022-10-20 16:58:40.000000000 +0000 +++ mongo-c-driver-1.23.1/debian/changelog 2025-04-18 20:28:00.000000000 +0000 @@ -1,3 +1,24 @@ +mongo-c-driver (1.23.1-1+deb12u1) bookworm; urgency=medium + + * Fix CVE-2023-0437: When calling bson_utf8_validate on some inputs a loop + with an exit condition that cannot be reached may occur, i.e. an infinite + loop. + * Fix CVE-2024-6381: The bson_strfreev function in the MongoDB C driver + library may be susceptible to an integer overflow where the function will + try to free memory at a negative offset. This may result in memory + corruption. + * Fix CVE-2024-6383: The bson_string_append function in MongoDB C Driver may + be vulnerable to a buffer overflow where the function might attempt to + allocate too small of buffer and may lead to memory corruption of + neighbouring heap memory. + * Fix CVE-2025-0755: The various bson_append functions in the MongoDB C + driver library may be susceptible to buffer overflow when performing + operations that could result in a final BSON document which exceeds the + maximum allowable size (INT32_MAX), resulting in a segmentation fault and + possible application crash. + + -- Roberto C. Sanchez Fri, 18 Apr 2025 16:28:00 -0400 + mongo-c-driver (1.23.1-1) unstable; urgency=medium * New upstream release diff -Nru mongo-c-driver-1.23.1/debian/gbp.conf mongo-c-driver-1.23.1/debian/gbp.conf --- mongo-c-driver-1.23.1/debian/gbp.conf 2022-10-20 16:58:40.000000000 +0000 +++ mongo-c-driver-1.23.1/debian/gbp.conf 2025-04-18 20:28:00.000000000 +0000 @@ -1,7 +1,6 @@ [DEFAULT] pristine-tar = False no-create-orig = True -pbuilder = True prebuild = bash -c " # Show execution trace @@ -13,11 +12,11 @@ zlib_rm_files=\"$(find src/zlib-* -mindepth 1 -maxdepth 1 \! -name zconf.h.in -printf '%p ')\" && # Create upstream tarball from reference, exclude items that do not belong pushd $GBP_GIT_DIR/.. && - git archive --format=tar --prefix=mongo-c-driver-\${upstream_version}/ HEAD | tar -f - --delete mongo-c-driver-\${upstream_version}/debian \$zlib_filter_files | gzip > $GBP_BUILD_DIR/../mongo-c-driver_\${upstream_version}.orig.tar.gz && + ( [ -f $GBP_BUILD_DIR/../mongo-c-driver_\${upstream_version}.orig.tar.gz ] || git archive --format=tar --prefix=mongo-c-driver-\${upstream_version}/ HEAD | tar -f - --delete mongo-c-driver-\${upstream_version}/debian \$zlib_filter_files | gzip > $GBP_BUILD_DIR/../mongo-c-driver_\${upstream_version}.orig.tar.gz ) && popd && rm -rf \$zlib_rm_files" upstream-tree = BRANCH -upstream-branch = r1.23 +upstream-branch = debian/bookworm upstream-tag = %(version)s -debian-branch = r1.23 +debian-branch = debian/bookworm diff -Nru mongo-c-driver-1.23.1/debian/patches/CVE-2023-0437.patch mongo-c-driver-1.23.1/debian/patches/CVE-2023-0437.patch --- mongo-c-driver-1.23.1/debian/patches/CVE-2023-0437.patch 1970-01-01 00:00:00.000000000 +0000 +++ mongo-c-driver-1.23.1/debian/patches/CVE-2023-0437.patch 2025-04-18 20:28:00.000000000 +0000 @@ -0,0 +1,29 @@ +From fd3a978b35cac8f3c78c4d9a1b08fd5aa4d440b8 Mon Sep 17 00:00:00 2001 +From: Kevin Albertson +Date: Mon, 30 Oct 2023 18:01:30 +0000 +Subject: [PATCH] CDRIVER-4747 use `size_t` consistently in + `bson_utf8_validate` (#1458) + +Origin: https://github.com/mongodb/mongo-c-driver/commit/fd3a978b35cac8f3c78c4d9a1b08fd5aa4d440b8 +--- + src/libbson/src/bson/bson-utf8.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/libbson/src/bson/bson-utf8.c b/src/libbson/src/bson/bson-utf8.c +index d7e9168c96..ac7a1bddfe 100644 +--- a/src/libbson/src/bson/bson-utf8.c ++++ b/src/libbson/src/bson/bson-utf8.c +@@ -118,8 +118,8 @@ bson_utf8_validate (const char *utf8, /* IN */ + bson_unichar_t c; + uint8_t first_mask; + uint8_t seq_length; +- unsigned i; +- unsigned j; ++ size_t i; ++ size_t j; + + BSON_ASSERT (utf8); + +-- +2.39.5 + diff -Nru mongo-c-driver-1.23.1/debian/patches/CVE-2024-6381.patch mongo-c-driver-1.23.1/debian/patches/CVE-2024-6381.patch --- mongo-c-driver-1.23.1/debian/patches/CVE-2024-6381.patch 1970-01-01 00:00:00.000000000 +0000 +++ mongo-c-driver-1.23.1/debian/patches/CVE-2024-6381.patch 2025-04-18 20:28:00.000000000 +0000 @@ -0,0 +1,34 @@ +From effd95c34ad421df94eec7c69236f0e4172552d0 Mon Sep 17 00:00:00 2001 +From: Ezra Chung <88335979+eramongodb@users.noreply.github.com> +Date: Fri, 8 Mar 2024 13:09:07 -0600 +Subject: [PATCH] CDRIVER-5504 Use pointer-based iteration when traversing + array elements (#1552) + +Origin: https://github.com/mongodb/mongo-c-driver/commit/effd95c34ad421df94eec7c69236f0e4172552d0 +--- + src/libbson/src/bson/bson-string.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/libbson/src/bson/bson-string.c b/src/libbson/src/bson/bson-string.c +index 36c4c5ab49..958fd10666 100644 +--- a/src/libbson/src/bson/bson-string.c ++++ b/src/libbson/src/bson/bson-string.c +@@ -473,11 +473,11 @@ bson_strndup (const char *str, /* IN */ + void + bson_strfreev (char **str) /* IN */ + { +- int i; +- + if (str) { +- for (i = 0; str[i]; i++) +- bson_free (str[i]); ++ for (char **ptr = str; *ptr != NULL; ++ptr) { ++ bson_free (*ptr); ++ } ++ + bson_free (str); + } + } +-- +2.39.5 + diff -Nru mongo-c-driver-1.23.1/debian/patches/CVE-2024-6383.patch mongo-c-driver-1.23.1/debian/patches/CVE-2024-6383.patch --- mongo-c-driver-1.23.1/debian/patches/CVE-2024-6383.patch 1970-01-01 00:00:00.000000000 +0000 +++ mongo-c-driver-1.23.1/debian/patches/CVE-2024-6383.patch 2025-04-18 20:28:00.000000000 +0000 @@ -0,0 +1,77 @@ +From 7c34461863211be172e6317221d72e4429bed45e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Roberto=20C=2E=20S=C3=A1nchez?= +Date: Fri, 3 May 2024 15:30:45 -0400 +Subject: [PATCH] CDRIVER-5552 more robust string handling (#1593) + +Co-authored-by: Kevin Albertson + +Origin: https://github.com/mongodb/mongo-c-driver/commit/7c34461863211be172e6317221d72e4429bed45e +--- + src/libbson/src/bson/bson-string.c | 27 +++++++++++++++++++++------ + 1 file changed, 21 insertions(+), 6 deletions(-) + +--- a/src/libbson/src/bson/bson-string.c ++++ b/src/libbson/src/bson/bson-string.c +@@ -20,6 +20,7 @@ + + #include "bson-compat.h" + #include "bson-config.h" ++#include "bson-cmp.h" + #include "bson-string.h" + #include "bson-memory.h" + #include "bson-utf8.h" +@@ -61,16 +62,25 @@ + bson_string_new (const char *str) /* IN */ + { + bson_string_t *ret; ++ size_t len_sz; + + ret = bson_malloc0 (sizeof *ret); +- ret->len = str ? (int) strlen (str) : 0; ++ if (str) { ++ len_sz = strlen (str); ++ BSON_ASSERT (len_sz <= UINT32_MAX); ++ ret->len = (uint32_t) len_sz; ++ } else { ++ ret->len = 0; ++ } + ret->alloc = ret->len + 1; + + if (!bson_is_power_of_two (ret->alloc)) { +- ret->alloc = (uint32_t) bson_next_power_of_two ((size_t) ret->alloc); ++ len_sz = bson_next_power_of_two ((size_t) ret->alloc); ++ BSON_ASSERT (len_sz <= UINT32_MAX); ++ ret->alloc = (uint32_t) len_sz; + } + +- BSON_ASSERT (ret->alloc >= 1); ++ BSON_ASSERT (ret->alloc >= ret->len + 1); + + ret->str = bson_malloc (ret->alloc); + +@@ -125,17 +135,22 @@ + const char *str) /* IN */ + { + uint32_t len; ++ size_t len_sz; + + BSON_ASSERT (string); + BSON_ASSERT (str); + +- len = (uint32_t) strlen (str); ++ len_sz = strlen (str); ++ BSON_ASSERT (bson_in_range_unsigned (uint32_t, len_sz)); ++ len = (uint32_t) len_sz; + + if ((string->alloc - string->len - 1) < len) { ++ BSON_ASSERT (string->alloc <= UINT32_MAX - len); + string->alloc += len; + if (!bson_is_power_of_two (string->alloc)) { +- string->alloc = +- (uint32_t) bson_next_power_of_two ((size_t) string->alloc); ++ len_sz = bson_next_power_of_two ((size_t) string->alloc); ++ BSON_ASSERT (len_sz <= UINT32_MAX); ++ string->alloc = (uint32_t) len_sz; + } + string->str = bson_realloc (string->str, string->alloc); + } diff -Nru mongo-c-driver-1.23.1/debian/patches/CVE-2025-0755.patch mongo-c-driver-1.23.1/debian/patches/CVE-2025-0755.patch --- mongo-c-driver-1.23.1/debian/patches/CVE-2025-0755.patch 1970-01-01 00:00:00.000000000 +0000 +++ mongo-c-driver-1.23.1/debian/patches/CVE-2025-0755.patch 2025-04-18 20:28:00.000000000 +0000 @@ -0,0 +1,39 @@ +From d3cdb626be30748b9360451023c75438ec346a38 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Roberto=20C=2E=20S=C3=A1nchez?= +Date: Tue, 16 Jul 2024 16:15:16 -0400 +Subject: [PATCH] CDRIVER-5601 more robust bson append (#1648) + +Co-authored-by: Kevin Albertson +Co-authored-by: Ezra Chung <88335979+eramongodb@users.noreply.github.com> + +Origin: https://github.com/mongodb/mongo-c-driver/commit/d3cdb626be30748b9360451023c75438ec346a38 +--- + src/libbson/src/bson/bson.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/src/libbson/src/bson/bson.c b/src/libbson/src/bson/bson.c +index adc5ee2cc8..e29b2a771c 100644 +--- a/src/libbson/src/bson/bson.c ++++ b/src/libbson/src/bson/bson.c +@@ -324,7 +324,18 @@ _bson_append_va (bson_t *bson, /* IN */ + + buf = _bson_data (bson) + bson->len - 1; + ++ /* Track running sum of bytes written in a uint64_t to detect possible overflow of `n_bytes`. */ ++ uint64_t n_bytes_sum = 0; + do { ++ // Size of any individual data being appended should not exceed the total byte limit. ++ if (BSON_UNLIKELY (bson_cmp_less_uu (n_bytes, data_len))) { ++ return false; ++ } ++ // Total size of data being appended should not exceed the total byte limit. ++ if (BSON_UNLIKELY (bson_cmp_greater_uu (n_bytes_sum, n_bytes - data_len))) { ++ return false; ++ } ++ n_bytes_sum += data_len; + n_pairs--; + /* data may be NULL if data_len is 0. memcpy is not safe to call with + * NULL. */ +-- +2.39.5 + diff -Nru mongo-c-driver-1.23.1/debian/patches/series mongo-c-driver-1.23.1/debian/patches/series --- mongo-c-driver-1.23.1/debian/patches/series 1970-01-01 00:00:00.000000000 +0000 +++ mongo-c-driver-1.23.1/debian/patches/series 2025-04-18 20:28:00.000000000 +0000 @@ -0,0 +1,4 @@ +CVE-2023-0437.patch +CVE-2024-6381.patch +CVE-2024-6383.patch +CVE-2025-0755.patch