Version in base suite: 1.30.4-1

Base version: mongo-c-driver_1.30.4-1
Target version: mongo-c-driver_1.30.4-1+deb13u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/m/mongo-c-driver/mongo-c-driver_1.30.4-1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/m/mongo-c-driver/mongo-c-driver_1.30.4-1+deb13u1.dsc

 changelog                    |    7 +
 gbp.conf                     |    4 -
 patches/CVE-2025-12119.patch |  153 +++++++++++++++++++++++++++++++++++++++++++
 patches/series               |    1 
 4 files changed, 163 insertions(+), 2 deletions(-)

gpgv: Signature made Wed May  7 19:16:55 2025 UTC
gpgv:                using RSA key 2186750D1E1A7B950BD35ABB95D1664DD2F59142
gpgv: Note: signatures using the SHA1 algorithm are rejected
gpgv: WARNING: signing subkey 95D1664DD2F59142 has an invalid cross-certification
gpgv: Can't check signature: General error
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp68bjm9h8/mongo-c-driver_1.30.4-1.dsc: no acceptable signature found
gpgv: Signature made Thu Dec 18 21:49:46 2025 UTC
gpgv:                using RSA key 2186750D1E1A7B950BD35ABB95D1664DD2F59142
gpgv: Note: signatures using the SHA1 algorithm are rejected
gpgv: WARNING: signing subkey 95D1664DD2F59142 has an invalid cross-certification
gpgv: Can't check signature: General error
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp68bjm9h8/mongo-c-driver_1.30.4-1+deb13u1.dsc: no acceptable signature found
diff -Nru mongo-c-driver-1.30.4/debian/changelog mongo-c-driver-1.30.4/debian/changelog
--- mongo-c-driver-1.30.4/debian/changelog	2025-05-07 19:11:43.000000000 +0000
+++ mongo-c-driver-1.30.4/debian/changelog	2025-12-18 19:50:07.000000000 +0000
@@ -1,3 +1,10 @@
+mongo-c-driver (1.30.4-1+deb13u1) trixie; urgency=medium
+
+  * Fix CVE-2025-12119: mongoc_bulk_operation_t may read invalid memory if
+    large options are passed.
+
+ -- Roberto C. Sanchez <roberto@connexer.com>  Thu, 18 Dec 2025 14:50:07 -0500
+
 mongo-c-driver (1.30.4-1) unstable; urgency=medium
 
   * New upstream release
diff -Nru mongo-c-driver-1.30.4/debian/gbp.conf mongo-c-driver-1.30.4/debian/gbp.conf
--- mongo-c-driver-1.30.4/debian/gbp.conf	2025-05-07 19:11:43.000000000 +0000
+++ mongo-c-driver-1.30.4/debian/gbp.conf	2025-12-18 19:50:07.000000000 +0000
@@ -14,9 +14,9 @@
     utf8proc_rm_files=\"$(find src/utf8proc-* -printf '%p ')\" &&
     # Create upstream tarball from reference, exclude items that do not belong
     pushd $GBP_GIT_DIR/.. &&
-    git archive --format=tar --prefix=mongo-c-driver-\${upstream_version}/ HEAD | tar -f - --delete mongo-c-driver-\${upstream_version}/debian \$zlib_filter_files \$utf8proc_filter_files | gzip > $GBP_BUILD_DIR/../mongo-c-driver_\${upstream_version}.orig.tar.gz &&
+    ( [ -f $GBP_BUILD_DIR/../mongo-c-driver_\${upstream_version}.orig.tar.gz ] || git archive --format=tar --prefix=mongo-c-driver-\${upstream_version}/ HEAD | tar -f - --delete mongo-c-driver-\${upstream_version}/debian \$zlib_filter_files \$utf8proc_filter_files | gzip > $GBP_BUILD_DIR/../mongo-c-driver_\${upstream_version}.orig.tar.gz ) &&
     popd &&
     rm -rf \$zlib_rm_files \$utf8proc_rm_files"
 
 upstream-tag = %(version)s
-debian-branch = debian/unstable
+debian-branch = debian/trixie
diff -Nru mongo-c-driver-1.30.4/debian/patches/CVE-2025-12119.patch mongo-c-driver-1.30.4/debian/patches/CVE-2025-12119.patch
--- mongo-c-driver-1.30.4/debian/patches/CVE-2025-12119.patch	1970-01-01 00:00:00.000000000 +0000
+++ mongo-c-driver-1.30.4/debian/patches/CVE-2025-12119.patch	2025-12-18 19:50:07.000000000 +0000
@@ -0,0 +1,153 @@
+From 27419bebfa8c0772e220592c86cf700b1ce2995d Mon Sep 17 00:00:00 2001
+From: Kevin Albertson <kevin.albertson@mongodb.com>
+Date: Mon, 6 Oct 2025 11:38:22 -0400
+Subject: [PATCH] CDRIVER-6112 fix ownership transfer of
+ `mongoc_write_command_t` (#2132) (#2137)
+
+* add regression test
+* do not memcpy `bson_t` struct in array
+  * `memcpy` does not correctly transfer ownership of `bson_t`. Instead: heap allocate `bson_t`.
+* warn against using `bson_t` in `mongoc_array_t`
+---
+ .../src/mongoc/mongoc-array-private.h         |  3 +
+ .../src/mongoc/mongoc-write-command-private.h |  2 +-
+ .../src/mongoc/mongoc-write-command.c         |  8 +--
+ src/libmongoc/tests/test-mongoc-bulk.c        | 56 +++++++++++++++++++
+ 4 files changed, 64 insertions(+), 5 deletions(-)
+
+diff --git a/src/libmongoc/src/mongoc/mongoc-array-private.h b/src/libmongoc/src/mongoc/mongoc-array-private.h
+index 9956224b34..c8de6f1f52 100644
+--- a/src/libmongoc/src/mongoc/mongoc-array-private.h
++++ b/src/libmongoc/src/mongoc/mongoc-array-private.h
+@@ -25,6 +25,9 @@
+ BSON_BEGIN_DECLS
+ 
+ 
++// mongoc_array_t stores an array of objects of type T.
++//
++// T must be trivially relocatable. In particular, `bson_t` is not trivially relocatable (CDRIVER-6113).
+ typedef struct _mongoc_array_t mongoc_array_t;
+ 
+ 
+diff --git a/src/libmongoc/src/mongoc/mongoc-write-command-private.h b/src/libmongoc/src/mongoc/mongoc-write-command-private.h
+index 85121594e0..c1bf751e01 100644
+--- a/src/libmongoc/src/mongoc/mongoc-write-command-private.h
++++ b/src/libmongoc/src/mongoc/mongoc-write-command-private.h
+@@ -61,7 +61,7 @@ typedef struct {
+    uint32_t n_documents;
+    mongoc_bulk_write_flags_t flags;
+    int64_t operation_id;
+-   bson_t cmd_opts;
++   bson_t *cmd_opts;
+ } mongoc_write_command_t;
+ 
+ 
+diff --git a/src/libmongoc/src/mongoc/mongoc-write-command.c b/src/libmongoc/src/mongoc/mongoc-write-command.c
+index a375d8f200..36f2470acb 100644
+--- a/src/libmongoc/src/mongoc/mongoc-write-command.c
++++ b/src/libmongoc/src/mongoc/mongoc-write-command.c
+@@ -143,9 +143,9 @@ _mongoc_write_command_init_bulk (
+    command->flags = flags;
+    command->operation_id = operation_id;
+    if (!bson_empty0 (opts)) {
+-      bson_copy_to (opts, &command->cmd_opts);
++      command->cmd_opts = bson_copy (opts);
+    } else {
+-      bson_init (&command->cmd_opts);
++      command->cmd_opts = bson_new ();
+    }
+ 
+    _mongoc_buffer_init (&command->payload, NULL, 0, NULL, NULL);
+@@ -671,7 +671,7 @@ _mongoc_write_opmsg (mongoc_write_command_t *command,
+                                ? MONGOC_CMD_PARTS_ALLOW_TXN_NUMBER_NO
+                                : MONGOC_CMD_PARTS_ALLOW_TXN_NUMBER_YES;
+ 
+-   BSON_ASSERT (bson_iter_init (&iter, &command->cmd_opts));
++   BSON_ASSERT (bson_iter_init (&iter, command->cmd_opts));
+    if (!mongoc_cmd_parts_append_opts (&parts, &iter, error)) {
+       bson_destroy (&cmd);
+       mongoc_cmd_parts_cleanup (&parts);
+@@ -944,7 +944,7 @@ _mongoc_write_command_destroy (mongoc_write_command_t *command)
+    ENTRY;
+ 
+    if (command) {
+-      bson_destroy (&command->cmd_opts);
++      bson_destroy (command->cmd_opts);
+       _mongoc_buffer_destroy (&command->payload);
+    }
+ 
+diff --git a/src/libmongoc/tests/test-mongoc-bulk.c b/src/libmongoc/tests/test-mongoc-bulk.c
+index 357893ce1c..e4666c1db3 100644
+--- a/src/libmongoc/tests/test-mongoc-bulk.c
++++ b/src/libmongoc/tests/test-mongoc-bulk.c
+@@ -4768,6 +4768,55 @@ test_bulk_write_set_client_updates_operation_id_when_client_changes (void)
+    mock_server_destroy (mock_server);
+ }
+ 
++// `test_bulk_big_let` tests a bulk operation with a large let document to reproduce CDRIVER-6112:
++static void
++test_bulk_big_let (void *unused)
++{
++   BSON_UNUSED (unused);
++
++   mongoc_client_t *client = test_framework_new_default_client ();
++   mongoc_collection_t *coll = get_test_collection (client, "test_big_let");
++   bson_error_t error;
++
++   // Create bulk operation similar to PHP driver:
++   mongoc_bulk_operation_t *bulk = mongoc_bulk_operation_new (true /* ordered */);
++
++   // Set a large `let`: { "testDocument": { "a": "aaa..." } }
++   {
++      bson_t let = BSON_INITIALIZER, testDocument;
++      bson_append_document_begin (&let, "testDocument", -1, &testDocument);
++
++      // Append big string:
++      {
++         size_t num_chars = 79;
++         char *big_string = bson_malloc0 (num_chars + 1);
++         memset (big_string, 'a', num_chars);
++         BSON_APPEND_UTF8 (&testDocument, "a", big_string);
++         bson_free (big_string);
++      }
++
++      bson_append_document_end (&let, &testDocument);
++      mongoc_bulk_operation_set_let (bulk, &let);
++      bson_destroy (&let);
++   }
++
++
++   mongoc_bulk_operation_set_client (bulk, client);
++   mongoc_bulk_operation_set_database (bulk, "db");
++   mongoc_bulk_operation_set_collection (bulk, "coll");
++
++   mongoc_bulk_operation_update (
++      bulk, tmp_bson ("{'_id': 1}"), tmp_bson ("{'$set': {'document': '$$testDocument'}}"), true);
++
++
++   ASSERT_OR_PRINT (mongoc_bulk_operation_execute (bulk, NULL, &error), error);
++
++   mongoc_bulk_operation_destroy (bulk);
++   mongoc_collection_destroy (coll);
++   mongoc_client_destroy (client);
++}
++
++
+ void
+ test_bulk_install (TestSuite *suite)
+ {
+@@ -4946,4 +4995,11 @@ test_bulk_install (TestSuite *suite)
+    TestSuite_AddMockServerTest (suite,
+                                 "/BulkOperation/set_client_updates_operation_id_when_client_changes",
+                                 test_bulk_write_set_client_updates_operation_id_when_client_changes);
++   TestSuite_AddFull (
++      suite,
++      "/BulkOperation/big_let",
++      test_bulk_big_let,
++      NULL,
++      NULL,
++      test_framework_skip_if_max_wire_version_less_than_13 /* 5.0+ for 'let' support in CRUD commands */);
+ }
+-- 
+2.39.5
+
diff -Nru mongo-c-driver-1.30.4/debian/patches/series mongo-c-driver-1.30.4/debian/patches/series
--- mongo-c-driver-1.30.4/debian/patches/series	2025-05-07 19:11:43.000000000 +0000
+++ mongo-c-driver-1.30.4/debian/patches/series	2025-12-18 19:50:07.000000000 +0000
@@ -1 +1,2 @@
 0001_local_mathjax.diff
+CVE-2025-12119.patch