Package: release.debian.org Severity: normal Tags: jessie User: release.debian....@packages.debian.org Usertags: pu
Dear SRMs, I would like to update MongoDB in stable to fix two low-impact security issues: - CVE-2016-6494[1] is fixed by backporting the patch already applied to 2.6 (once in sid). - TEMP-0833087-C5410D[2] is fixed by reimplementing upstream's fix for 2.6[3] using the infrastructure available in MongoDB 2.4. Unfortunately the mutable BSON infrastructure used in 2.6 is incomplete and unusable in 2.4. I benchmarked my own version and found no measurable performance impact. Full source debdiff attached. Regards, Apollon [1] https://security-tracker.debian.org/tracker/CVE-2016-6494 [2] https://security-tracker.debian.org/tracker/TEMP-0833087-C5410D [3] https://github.com/mongodb/mongo/commit/f85ceb17b37210eef71e8113162c41368bfd5c12
diff -Nru mongodb-2.4.10/debian/changelog mongodb-2.4.10/debian/changelog --- mongodb-2.4.10/debian/changelog 2015-03-09 23:25:16.000000000 +0200 +++ mongodb-2.4.10/debian/changelog 2017-01-11 11:17:56.000000000 +0200 @@ -1,3 +1,10 @@ +mongodb (1:2.4.10-5+deb8u1) jessie; urgency=medium + + * Redact key and nonce from auth attempt logs (Closes: #833087) + * Backport patch for CVE-2016-6494 from 2.6 (Closes: #832908) + + -- Apollon Oikonomopoulos <apoi...@debian.org> Wed, 11 Jan 2017 11:17:56 +0200 + mongodb (1:2.4.10-5) unstable; urgency=high * Use upstream backported fix for CVE-2015-1609 (closes: #780129). diff -Nru mongodb-2.4.10/debian/patches/CVE-2016-6494.patch mongodb-2.4.10/debian/patches/CVE-2016-6494.patch --- mongodb-2.4.10/debian/patches/CVE-2016-6494.patch 1970-01-01 02:00:00.000000000 +0200 +++ mongodb-2.4.10/debian/patches/CVE-2016-6494.patch 2017-01-11 11:17:09.000000000 +0200 @@ -0,0 +1,39 @@ +Description: prevent group and other access on .dbshell + Use umask on file creation and chmod on existing file load. +Forwarded: no +Bug-Debian: https://bugs.debian.org/832908 +Author: Laszlo Boszormenyi (GCS) <g...@debian.org> +Last-Update: 2016-08-04 + +--- + +--- mongodb-2.4.10.orig/src/mongo/shell/linenoise.cpp ++++ mongodb-2.4.10/src/mongo/shell/linenoise.cpp +@@ -103,6 +103,7 @@ + #include <stdlib.h> + #include <string.h> + #include <sys/types.h> ++#include <sys/stat.h> + #include <sys/ioctl.h> + #include <cctype> + #include <wctype.h> +@@ -2626,7 +2627,10 @@ int linenoiseHistorySetMaxLen( int len ) + /* Save the history in the specified file. On success 0 is returned + * otherwise -1 is returned. */ + int linenoiseHistorySave( const char* filename ) { ++ mode_t old_umask; ++ old_umask = umask(S_IRWXG | S_IRWXO); + FILE* fp = fopen( filename, "wt" ); ++ umask(old_umask); + if ( fp == NULL ) { + return -1; + } +@@ -2651,6 +2655,8 @@ int linenoiseHistoryLoad( const char* fi + return -1; + } + ++ chmod(filename, 00600); ++ + char buf[LINENOISE_MAX_LINE]; + while ( fgets( buf, LINENOISE_MAX_LINE, fp ) != NULL ) { + char* p = strchr( buf, '\r' ); diff -Nru mongodb-2.4.10/debian/patches/Redact-key-and-nonce-from-auth-attempt-logs.patch mongodb-2.4.10/debian/patches/Redact-key-and-nonce-from-auth-attempt-logs.patch --- mongodb-2.4.10/debian/patches/Redact-key-and-nonce-from-auth-attempt-logs.patch 1970-01-01 02:00:00.000000000 +0200 +++ mongodb-2.4.10/debian/patches/Redact-key-and-nonce-from-auth-attempt-logs.patch 2017-01-11 11:17:09.000000000 +0200 @@ -0,0 +1,42 @@ +From 1d44ca172befd6ad6d3a6cb410ddf7a0e31b6f81 Mon Sep 17 00:00:00 2001 +From: Apollon Oikonomopoulos <apoi...@debian.org> +Date: Tue, 10 Jan 2017 17:39:57 +0200 +Subject: [PATCH] Redact key and nonce from auth attempt logs + +This fixes TEMP-0833087-C5410D and closes #833087. +--- + src/mongo/db/commands/authentication_commands.cpp | 17 ++++++++++++++++- + 1 file changed, 16 insertions(+), 1 deletion(-) + +diff --git a/src/mongo/db/commands/authentication_commands.cpp b/src/mongo/db/commands/authentication_commands.cpp +index bcc5a2f..538e9a0 100644 +--- a/src/mongo/db/commands/authentication_commands.cpp ++++ b/src/mongo/db/commands/authentication_commands.cpp +@@ -93,8 +93,23 @@ namespace mongo { + } cmdGetNonce; + + bool CmdAuthenticate::run(const string& dbname , BSONObj& cmdObj, int, string& errmsg, BSONObjBuilder& result, bool fromRepl) { ++ // Debian #833087: redact key and nonce from authentication attempts ++ BSONObjBuilder cmdToLog; ++ BSONObjIterator it = cmdObj.begin(); ++ const StringData kKey = "key"; ++ const StringData kNonce = "nonce"; ++ ++ while (it.more()) { ++ BSONElement e = it.next(); ++ const char *fname = e.fieldName(); ++ if (fname == kKey || fname == kNonce) { ++ cmdToLog.append(fname, "xxx"); ++ } else { ++ cmdToLog.append(e); ++ } ++ } + +- log() << " authenticate db: " << dbname << " " << cmdObj << endl; ++ log() << " authenticate db: " << dbname << " " << cmdToLog.obj() << endl; + + string user = cmdObj.getStringField("user"); + +-- +2.10.2 + diff -Nru mongodb-2.4.10/debian/patches/series mongodb-2.4.10/debian/patches/series --- mongodb-2.4.10/debian/patches/series 2015-03-09 23:21:17.000000000 +0200 +++ mongodb-2.4.10/debian/patches/series 2017-01-11 11:17:09.000000000 +0200 @@ -18,3 +18,5 @@ 8b9242837510e6410ddcf4f19969da4c7b01b2f7.patch 656f78711632a5dc37221422c99e3c4619bcc58f.patch 3a7e85ea1f672f702660e5472566234b1d19038e.patch +Redact-key-and-nonce-from-auth-attempt-logs.patch +CVE-2016-6494.patch
signature.asc
Description: PGP signature