Debian Bug report logs -
#874754
libbson: CVE-2017-14227
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, A. Jesse Jiryu Davis <jesse@mongodb.com>:
Bug#874754; Package src:libbson.
(Sat, 09 Sep 2017 13:33:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, A. Jesse Jiryu Davis <jesse@mongodb.com>.
(Sat, 09 Sep 2017 13:33:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libbson
Version: 1.7.0-1
Severity: important
Tags: security upstream
Hi,
the following vulnerability was published for libbson.
CVE-2017-14227[0]:
| In MongoDB libbson 1.7.0, the bson_iter_codewscope function in
| bson-iter.c miscalculates a bson_utf8_validate length argument, which
| allows remote attackers to cause a denial of service (heap-based buffer
| over-read in the bson_utf8_validate function in bson-utf8.c), as
| demonstrated by bson-to-json.c.
The following shows the problem using the example bson-metrics:
00000000 15 00 00 00 0f 00 0e 00 00 00 00 00 00 00 06 00 |................|
00000010 00 00 00 00 00 00 03 e8 88 88 00 00 |............|
0000001c
cf. [1].
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-14227
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14227
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1489355
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, A. Jesse Jiryu Davis <jesse@mongodb.com>:
Bug#874754; Package src:libbson.
(Sat, 09 Sep 2017 15:39:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to A. Jesse Jiryu Davis <jesse@mongodb.com>.
(Sat, 09 Sep 2017 15:39:05 GMT) (full text, mbox, link).
Message #10 received at 874754@bugs.debian.org (full text, mbox, reply):
Some debugging information:
=================================================================
==7414==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000000980 at pc 0x5555555759b3 bp 0x7fffffffd9b0 sp 0x7fffffffd9a8
READ of size 1 at 0x619000000980 thread T0
#0 0x5555555759b2 in _bson_utf8_get_sequence src/bson/bson-utf8.c:49
#1 0x555555575c3b in bson_utf8_validate src/bson/bson-utf8.c:131
#2 0x55555556cbf4 in bson_iter_visit_all src/bson/bson-iter.c:2069
#3 0x5555555607d5 in bson_metrics examples/bson-metrics.c:208
#4 0x555555560b01 in main examples/bson-metrics.c:257
#5 0x7f8775da02e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
#6 0x55555555fce9 in _start (/root/libbson/bson-metrics+0xbce9)
0x619000000980 is located 0 bytes to the right of 1024-byte region [0x619000000580,0x619000000980)
allocated by thread T0 here:
#0 0x7f8776717bb8 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd9bb8)
#1 0x55555556eb0c in bson_malloc0 src/bson/bson-memory.c:105
#2 0x555555571614 in bson_reader_new_from_handle src/bson/bson-reader.c:173
#3 0x555555571a2a in bson_reader_new_from_fd src/bson/bson-reader.c:304
#4 0x5555555731d4 in bson_reader_new_from_file src/bson/bson-reader.c:806
#5 0x5555555609fe in main examples/bson-metrics.c:244
#6 0x7f8775da02e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
SUMMARY: AddressSanitizer: heap-buffer-overflow src/bson/bson-utf8.c:49 in _bson_utf8_get_sequence
Shadow bytes around the buggy address:
0x0c327fff80e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff80f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff8100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff8110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff8120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c327fff8130:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff8140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff8150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff8160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff8170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff8180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==7414==ABORTING
[
Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
51 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1 0x00007f8775db442a in __GI_abort () at abort.c:89
#2 0x00007f877673741b in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.4
#3 0x00007f877673ebb8 in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.4
#4 0x00007f8776721a8d in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.4
#5 0x00007f87767224e8 in __asan_report_load1 () from /usr/lib/x86_64-linux-gnu/libasan.so.4
#6 0x00005555555759b3 in _bson_utf8_get_sequence (utf8=0x619000000980 "",
seq_length=0x7fffffffda90 "\001\220VUUU", first_mask=0x7fffffffda50 "\177\005")
at src/bson/bson-utf8.c:49
#7 0x0000555555575c3c in bson_utf8_validate (utf8=0x61900000058e "\006", utf8_len=4294967295,
allow_null=true) at src/bson/bson-utf8.c:131
#8 0x000055555556cbf5 in bson_iter_visit_all (iter=0x7fffffffe680,
visitor=0x5555557a4a20 <bson_metrics_visitors>, data=0x5555557ad960 <state>)
at src/bson/bson-iter.c:2069
#9 0x00005555555607d6 in bson_metrics (bson=0x6130000000c0, length=0x0,
data=0x5555557ad960 <state>) at examples/bson-metrics.c:208
#10 0x0000555555560b02 in main (argc=2, argv=0x7fffffffebe8) at examples/bson-metrics.c:257
and
(gdb) list src/bson/bson-iter.c:2069
2064 uint32_t doclen = 0;
2065 bson_t b;
2066
2067 code = bson_iter_codewscope (iter, &length, &doclen, &docbuf);
2068
2069 if (!bson_utf8_validate (code, length, true)) {
2070 iter->err_off = iter->off;
2071 return true;
2072 }
2073
(gdb) list src/bson/bson-utf8.c:131
126 unsigned j;
127
128 BSON_ASSERT (utf8);
129
130 for (i = 0; i < utf8_len; i += seq_length) {
131 _bson_utf8_get_sequence (&utf8[i], &seq_length, &first_mask);
132
133 /*
134 * Ensure we have a valid multi-byte sequence length.
135 */
(gdb)
cf. as well https://bugzilla.redhat.com/show_bug.cgi?id=1489355#c2
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, A. Jesse Jiryu Davis <jesse@mongodb.com>:
Bug#874754; Package src:libbson.
(Sat, 09 Sep 2017 15:51:07 GMT) (full text, mbox, link).
Acknowledgement sent
to "A. Jesse Jiryu Davis" <jesse@mongodb.com>:
Extra info received and forwarded to list. Copy sent to A. Jesse Jiryu Davis <jesse@mongodb.com>.
(Sat, 09 Sep 2017 15:51:07 GMT) (full text, mbox, link).
Message #15 received at 874754@bugs.debian.org (full text, mbox, reply):
Thanks, we've diagnosed the bug and we're tracking the fix in
https://jira.mongodb.org/browse/CDRIVER-2269 . We'll release the fix
in libbson 1.8.0 next week.
On Sat, Sep 9, 2017 at 11:36 AM, Salvatore Bonaccorso <carnil@debian.org> wrote:
> Some debugging information:
>
> =================================================================
> ==7414==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000000980 at pc 0x5555555759b3 bp 0x7fffffffd9b0 sp 0x7fffffffd9a8
> READ of size 1 at 0x619000000980 thread T0
> #0 0x5555555759b2 in _bson_utf8_get_sequence src/bson/bson-utf8.c:49
> #1 0x555555575c3b in bson_utf8_validate src/bson/bson-utf8.c:131
> #2 0x55555556cbf4 in bson_iter_visit_all src/bson/bson-iter.c:2069
> #3 0x5555555607d5 in bson_metrics examples/bson-metrics.c:208
> #4 0x555555560b01 in main examples/bson-metrics.c:257
> #5 0x7f8775da02e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
> #6 0x55555555fce9 in _start (/root/libbson/bson-metrics+0xbce9)
>
> 0x619000000980 is located 0 bytes to the right of 1024-byte region [0x619000000580,0x619000000980)
> allocated by thread T0 here:
> #0 0x7f8776717bb8 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd9bb8)
> #1 0x55555556eb0c in bson_malloc0 src/bson/bson-memory.c:105
> #2 0x555555571614 in bson_reader_new_from_handle src/bson/bson-reader.c:173
> #3 0x555555571a2a in bson_reader_new_from_fd src/bson/bson-reader.c:304
> #4 0x5555555731d4 in bson_reader_new_from_file src/bson/bson-reader.c:806
> #5 0x5555555609fe in main examples/bson-metrics.c:244
> #6 0x7f8775da02e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
>
> SUMMARY: AddressSanitizer: heap-buffer-overflow src/bson/bson-utf8.c:49 in _bson_utf8_get_sequence
> Shadow bytes around the buggy address:
> 0x0c327fff80e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0c327fff80f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0c327fff8100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0c327fff8110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0c327fff8120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> =>0x0c327fff8130:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c327fff8140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c327fff8150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c327fff8160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c327fff8170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c327fff8180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> Shadow byte legend (one shadow byte represents 8 application bytes):
> Addressable: 00
> Partially addressable: 01 02 03 04 05 06 07
> Heap left redzone: fa
> Freed heap region: fd
> Stack left redzone: f1
> Stack mid redzone: f2
> Stack right redzone: f3
> Stack after return: f5
> Stack use after scope: f8
> Global redzone: f9
> Global init order: f6
> Poisoned by user: f7
> Container overflow: fc
> Array cookie: ac
> Intra object redzone: bb
> ASan internal: fe
> Left alloca redzone: ca
> Right alloca redzone: cb
> ==7414==ABORTING
> [
> Program received signal SIGABRT, Aborted.
> __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
> 51 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
> (gdb) bt
> #0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
> #1 0x00007f8775db442a in __GI_abort () at abort.c:89
> #2 0x00007f877673741b in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.4
> #3 0x00007f877673ebb8 in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.4
> #4 0x00007f8776721a8d in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.4
> #5 0x00007f87767224e8 in __asan_report_load1 () from /usr/lib/x86_64-linux-gnu/libasan.so.4
> #6 0x00005555555759b3 in _bson_utf8_get_sequence (utf8=0x619000000980 "",
> seq_length=0x7fffffffda90 "\001\220VUUU", first_mask=0x7fffffffda50 "\177\005")
> at src/bson/bson-utf8.c:49
> #7 0x0000555555575c3c in bson_utf8_validate (utf8=0x61900000058e "\006", utf8_len=4294967295,
> allow_null=true) at src/bson/bson-utf8.c:131
> #8 0x000055555556cbf5 in bson_iter_visit_all (iter=0x7fffffffe680,
> visitor=0x5555557a4a20 <bson_metrics_visitors>, data=0x5555557ad960 <state>)
> at src/bson/bson-iter.c:2069
> #9 0x00005555555607d6 in bson_metrics (bson=0x6130000000c0, length=0x0,
> data=0x5555557ad960 <state>) at examples/bson-metrics.c:208
> #10 0x0000555555560b02 in main (argc=2, argv=0x7fffffffebe8) at examples/bson-metrics.c:257
>
> and
>
> (gdb) list src/bson/bson-iter.c:2069
> 2064 uint32_t doclen = 0;
> 2065 bson_t b;
> 2066
> 2067 code = bson_iter_codewscope (iter, &length, &doclen, &docbuf);
> 2068
> 2069 if (!bson_utf8_validate (code, length, true)) {
> 2070 iter->err_off = iter->off;
> 2071 return true;
> 2072 }
> 2073
> (gdb) list src/bson/bson-utf8.c:131
> 126 unsigned j;
> 127
> 128 BSON_ASSERT (utf8);
> 129
> 130 for (i = 0; i < utf8_len; i += seq_length) {
> 131 _bson_utf8_get_sequence (&utf8[i], &seq_length, &first_mask);
> 132
> 133 /*
> 134 * Ensure we have a valid multi-byte sequence length.
> 135 */
> (gdb)
>
> cf. as well https://bugzilla.redhat.com/show_bug.cgi?id=1489355#c2
>
> Regards,
> Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, A. Jesse Jiryu Davis <jesse@mongodb.com>:
Bug#874754; Package src:libbson.
(Sat, 16 Sep 2017 14:45:02 GMT) (full text, mbox, link).
Acknowledgement sent
to "A. Jesse Jiryu Davis" <jesse@mongodb.com>:
Extra info received and forwarded to list. Copy sent to A. Jesse Jiryu Davis <jesse@mongodb.com>.
(Sat, 16 Sep 2017 14:45:03 GMT) (full text, mbox, link).
Message #22 received at 874754@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Here's a patch from Kevin Albertson that applies the fix to libbson 1.4.2.
[0001-CDRIVER-2269-Check-for-zero-string-length-in-codewsc.patch (application/octet-stream, attachment)]
Reply sent
to jesse@mongodb.com (A. Jesse Jiryu Davis):
You have taken responsibility.
(Tue, 03 Oct 2017 01:21:07 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Tue, 03 Oct 2017 01:21:07 GMT) (full text, mbox, link).
Message #27 received at 874754-close@bugs.debian.org (full text, mbox, reply):
Source: libbson
Source-Version: 1.8.0-1
We believe that the bug you reported is fixed in the latest version of
libbson, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 874754@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
A. Jesse Jiryu Davis <jesse@mongodb.com> (supplier of updated libbson package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 14 Sep 2017 19:45:21 +0000
Source: libbson
Binary: libbson-dev libbson-1.0-0 libbson-doc
Architecture: source
Version: 1.8.0-1
Distribution: unstable
Urgency: low
Maintainer: A. Jesse Jiryu Davis <jesse@mongodb.com>
Changed-By: A. Jesse Jiryu Davis <jesse@mongodb.com>
Description:
libbson-1.0-0 - Library to parse and generate BSON documents - runtime files
libbson-dev - Library to parse and generate BSON documents - dev files
libbson-doc - Library to parse and generate BSON documents - documentation
Closes: 874754 876194
Changes:
libbson (1.8.0-1) unstable; urgency=low
.
* New upstream release (Closes: #874754)
* Include cmake config files (Closes: #876194)
Checksums-Sha1:
7fdbf152e5b5851775ebaa872cc57e960e6acb2b 1957 libbson_1.8.0-1.dsc
1fc0670c78999eefe906ccf90099f9aec44aabf7 4016814 libbson_1.8.0.orig.tar.gz
401045b955169ce3f1bf7807400ed559be2d6464 5100 libbson_1.8.0-1.debian.tar.xz
b4915622d84880163d2d2a2903a8958058645a3e 6644 libbson_1.8.0-1_amd64.buildinfo
Checksums-Sha256:
8494810e96bd511c46f85aff502514781781676195125ea4216923fa8832a2db 1957 libbson_1.8.0-1.dsc
07d571ece2af27f73ef66e092480b928f66309c32f96a19de207edaf07a83b78 4016814 libbson_1.8.0.orig.tar.gz
c47cce378721beb69ede14e755c56e909b86d6665f7ce59fd9d6256f6c77d3c5 5100 libbson_1.8.0-1.debian.tar.xz
1f40093daf107aca52d030fb9de206eae341eb82563aa600e58556535fc47ffb 6644 libbson_1.8.0-1_amd64.buildinfo
Files:
b050c2cde98aaf6b292668cdadf20575 1957 libs optional libbson_1.8.0-1.dsc
e65da068f99cf94c2a636a481f1ba3ba 4016814 libs optional libbson_1.8.0.orig.tar.gz
8ae9251ab00363ce2c235a76b16430eb 5100 libs optional libbson_1.8.0-1.debian.tar.xz
6284ee9b3b49b2b1140a3897f9d322f3 6644 libs optional libbson_1.8.0-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJZ0uDMAAoJECzXeF7dp7IPFQEP/2V0lDLYt1hMS9nKTS3UNMpg
vYtgAYTgL2ylvXogQF9evc2/SMFhpO3AGXEpoCsgQHXbzurlOJM/R+EwVbrhyfMJ
IKbJNdlfKYXMRS3GC9SUmlwJgP503v3LdNAKo4H+1fEBTBi1ufg4WwUG69xsAYUy
Me6+rLrAk1IAfS1OZMmFBqjO+Zsevom8dqd80Vf9ZRE4G8Rav2py6iLbc+/jebdG
Tqgk42U5rlzCxvbNENDe7wUL9Li6qOQkwhdurEDHfS5G8IPWtnhdqVfTvELDbk3N
frBH5RkYSGqZgHIhIGjLkKNNrfJgw1sn+Nl9ya/gMSz4Mkzox5LYEjf/GD8+PKYv
C0fdz82RiVETGGB4XkBCHZmhCEvpUFKcnXiRDj95ArmWWVgFM5oQkfLPSwgTMB+o
4nkarQG+3WnOqnxt5r/X9b8gFKNxp9W7PxEWk/zzPcDPAOtmTanP4vsPrKqkc/YC
SmVyV4ozrN6hWnDf3EpkFrI+/I3PWAF4FPbbyp1VvFJFuqqrB4RUJDwRsUp9iEdF
BDACfLg1UKb5nP3h4xxhg9Aahv2k7l2/qvHN5YsGrGSDVdQ3H+EIdqU5RCfKHtbq
rTVbWUfJ72MgKFugbD9O7jHM+LiJfgOGBbLXcH+etkFv7qs9cH4lHplUe15PuUzw
ujP5D4i2aUlCrdzLmIh5
=/g+Z
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 10 Nov 2017 07:29:35 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:10:41 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon