Bug#1123625: marked as done (bookworm-pu: package mongo-c-driver/1.23.1-1+deb12u2)

Sat, 10 Jan 2026 04:13:40 -0800 

Your message dated Sat, 10 Jan 2026 11:59:46 +0000
with message-id <[email protected]>
and subject line Released with 12.13
has caused the Debian Bug report #1123625,
regarding bookworm-pu: package mongo-c-driver/1.23.1-1+deb12u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1123625: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1123625
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bookworm
User: [email protected]
Usertags: pu

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

[ Reason ]
This update fixes CVE-2025-12119:

mongoc_bulk_operation_t may read invalid memory if large options are
passed

[ Impact ]
Users and applications integrating mongo-c-driver components may be
vulnerable to a potential security issue.

[ Tests ]
The affected/changed code went through multiple upstream code reviews.
Also, accompanying unit tests were implemented and executed in
upstream's extensive CI environment.

[ Risks ]
Code changes are small and low risk. There are no work arounds.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Backport upstream patch from
https://github.com/mongodb/mongo-c-driver/commit/27419bebfa8c0772e220592c86cf700b1ce2995d
(only trivial changes were required, to account for small changes in the
context lines in two instances)

[ Other info ]
N/A


-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEIYZ1DR4ae5UL01q7ldFmTdL1kUIFAmlEeVEACgkQldFmTdL1
kUL3fBAAilVG0crjIEToojbCN9qslCiWljgNe0YmMuNwX1yEiAv/NZn70D2tItGB
yeb+gbg5vJv/wALtQE53IocleCmEjNCjCa2RKmjgLZUFHUai7iSLjues/3OBFZyl
Ph5yK2haxQccM5oY8XR/Qlh5/qlrBJbIEBp7mTcSQpHu/LfZ7Os5etjzhdj5s220
wPT2j8fs0Z4RxLsTYc1QV9Y5HgmLiYWUDx2f9HFcmGAl3P6rshIoWDVuQpIOP70k
ynrx4v5Pu/GurgieVJee7nLRh9J607yBl8wPEPHihOcJD/CAQ3v8Iojgw+Lj4NOA
7hr8Z4kVzPdObSi7jF/gJzOz5NLc1BHnjdHp2+8+RQgEHje5Ysq2uq2e9NuedE3A
YXN5+DQK6+iYbhlgLFSMHfLulx/mQ/DxHhrc9PRIlX5LRBFItL3UYvuhfAFzVnNw
lOn1JokbMaHvlsJl8Z1usUIeTIkNhxm0UWn6MOtDvhthOHeRw5W2OKkx5GSQbDmn
rzijrG4utrHsBWdeVbT8HJ25pYS2Ou+6R6DVp+0pZmJFGSRSYOTQ0cM1CkJn7rJw
57v12LM44X3gOICdhXUHjiLoNBFMmk6wAZRs0cHmQtP0FSIQ6mFSZAbK2oC/GA5z
akqkEUCJmkEpF3zAcs1HhWy3o0/n7g5gcapDOywnhDBRsqTRLg4=
=M4ze
-----END PGP SIGNATURE-----

diff -Nru mongo-c-driver-1.23.1/debian/changelog 
mongo-c-driver-1.23.1/debian/changelog
--- mongo-c-driver-1.23.1/debian/changelog      2025-04-18 16:28:00.000000000 
-0400
+++ mongo-c-driver-1.23.1/debian/changelog      2025-12-18 15:54:33.000000000 
-0500
@@ -1,3 +1,10 @@
+mongo-c-driver (1.23.1-1+deb12u2) bookworm; urgency=medium
+
+  * Fix CVE-2025-12119: mongoc_bulk_operation_t may read invalid memory if
+    large options are passed.
+
+ -- Roberto C. Sanchez <[email protected]>  Thu, 18 Dec 2025 15:54:33 -0500
+
 mongo-c-driver (1.23.1-1+deb12u1) bookworm; urgency=medium
 
   * Fix CVE-2023-0437: When calling bson_utf8_validate on some inputs a loop
diff -Nru mongo-c-driver-1.23.1/debian/patches/CVE-2025-12119.patch 
mongo-c-driver-1.23.1/debian/patches/CVE-2025-12119.patch
--- mongo-c-driver-1.23.1/debian/patches/CVE-2025-12119.patch   1969-12-31 
19:00:00.000000000 -0500
+++ mongo-c-driver-1.23.1/debian/patches/CVE-2025-12119.patch   2025-12-18 
15:54:33.000000000 -0500
@@ -0,0 +1,151 @@
+From 27419bebfa8c0772e220592c86cf700b1ce2995d Mon Sep 17 00:00:00 2001
+From: Kevin Albertson <[email protected]>
+Date: Mon, 6 Oct 2025 11:38:22 -0400
+Subject: [PATCH] CDRIVER-6112 fix ownership transfer of
+ `mongoc_write_command_t` (#2132) (#2137)
+
+* add regression test
+* do not memcpy `bson_t` struct in array
+  * `memcpy` does not correctly transfer ownership of `bson_t`. Instead: heap 
allocate `bson_t`.
+* warn against using `bson_t` in `mongoc_array_t`
+---
+ src/libmongoc/src/mongoc/mongoc-array-private.h         |    3 
+ src/libmongoc/src/mongoc/mongoc-write-command-private.h |    2 
+ src/libmongoc/src/mongoc/mongoc-write-command.c         |   10 +-
+ src/libmongoc/tests/test-mongoc-bulk.c                  |   56 
++++++++++++++++
+ 4 files changed, 65 insertions(+), 6 deletions(-)
+
+--- a/src/libmongoc/src/mongoc/mongoc-array-private.h
++++ b/src/libmongoc/src/mongoc/mongoc-array-private.h
+@@ -25,6 +25,9 @@
+ BSON_BEGIN_DECLS
+ 
+ 
++// mongoc_array_t stores an array of objects of type T.
++//
++// T must be trivially relocatable. In particular, `bson_t` is not trivially 
relocatable (CDRIVER-6113).
+ typedef struct _mongoc_array_t mongoc_array_t;
+ 
+ 
+--- a/src/libmongoc/src/mongoc/mongoc-write-command-private.h
++++ b/src/libmongoc/src/mongoc/mongoc-write-command-private.h
+@@ -61,7 +61,7 @@
+    uint32_t n_documents;
+    mongoc_bulk_write_flags_t flags;
+    int64_t operation_id;
+-   bson_t cmd_opts;
++   bson_t *cmd_opts;
+ } mongoc_write_command_t;
+ 
+ 
+--- a/src/libmongoc/src/mongoc/mongoc-write-command.c
++++ b/src/libmongoc/src/mongoc/mongoc-write-command.c
+@@ -183,9 +183,9 @@
+    command->flags = flags;
+    command->operation_id = operation_id;
+    if (!bson_empty0 (opts)) {
+-      bson_copy_to (opts, &command->cmd_opts);
++      command->cmd_opts = bson_copy (opts);
+    } else {
+-      bson_init (&command->cmd_opts);
++      command->cmd_opts = bson_new ();
+    }
+ 
+    _mongoc_buffer_init (&command->payload, NULL, 0, NULL, NULL);
+@@ -501,7 +501,7 @@
+          ? MONGOC_CMD_PARTS_ALLOW_TXN_NUMBER_NO
+          : MONGOC_CMD_PARTS_ALLOW_TXN_NUMBER_YES;
+ 
+-   BSON_ASSERT (bson_iter_init (&iter, &command->cmd_opts));
++   BSON_ASSERT (bson_iter_init (&iter, command->cmd_opts));
+    if (!mongoc_cmd_parts_append_opts (
+           &parts, &iter, server_stream->sd->max_wire_version, error)) {
+       bson_destroy (&cmd);
+@@ -724,7 +724,7 @@
+    ret = mongoc_cmd_parts_set_write_concern (
+       parts, write_concern, server_stream->sd->max_wire_version, error);
+    if (ret) {
+-      BSON_ASSERT (bson_iter_init (&iter, &command->cmd_opts));
++      BSON_ASSERT (bson_iter_init (&iter, command->cmd_opts));
+       ret = mongoc_cmd_parts_append_opts (
+          parts, &iter, server_stream->sd->max_wire_version, error);
+    }
+@@ -1095,7 +1095,7 @@
+    ENTRY;
+ 
+    if (command) {
+-      bson_destroy (&command->cmd_opts);
++      bson_destroy (command->cmd_opts);
+       _mongoc_buffer_destroy (&command->payload);
+    }
+ 
+--- a/src/libmongoc/tests/test-mongoc-bulk.c
++++ b/src/libmongoc/tests/test-mongoc-bulk.c
+@@ -4934,6 +4934,55 @@
+ }
+ 
+ 
++// `test_bulk_big_let` tests a bulk operation with a large let document to 
reproduce CDRIVER-6112:
++static void
++test_bulk_big_let (void *unused)
++{
++   BSON_UNUSED (unused);
++
++   mongoc_client_t *client = test_framework_new_default_client ();
++   mongoc_collection_t *coll = get_test_collection (client, "test_big_let");
++   bson_error_t error;
++
++   // Create bulk operation similar to PHP driver:
++   mongoc_bulk_operation_t *bulk = mongoc_bulk_operation_new (true /* ordered 
*/);
++
++   // Set a large `let`: { "testDocument": { "a": "aaa..." } }
++   {
++      bson_t let = BSON_INITIALIZER, testDocument;
++      bson_append_document_begin (&let, "testDocument", -1, &testDocument);
++
++      // Append big string:
++      {
++         size_t num_chars = 79;
++         char *big_string = bson_malloc0 (num_chars + 1);
++         memset (big_string, 'a', num_chars);
++         BSON_APPEND_UTF8 (&testDocument, "a", big_string);
++         bson_free (big_string);
++      }
++
++      bson_append_document_end (&let, &testDocument);
++      mongoc_bulk_operation_set_let (bulk, &let);
++      bson_destroy (&let);
++   }
++
++
++   mongoc_bulk_operation_set_client (bulk, client);
++   mongoc_bulk_operation_set_database (bulk, "db");
++   mongoc_bulk_operation_set_collection (bulk, "coll");
++
++   mongoc_bulk_operation_update (
++      bulk, tmp_bson ("{'_id': 1}"), tmp_bson ("{'$set': {'document': 
'$$testDocument'}}"), true);
++
++
++   ASSERT_OR_PRINT (mongoc_bulk_operation_execute (bulk, NULL, &error), 
error);
++
++   mongoc_bulk_operation_destroy (bulk);
++   mongoc_collection_destroy (coll);
++   mongoc_client_destroy (client);
++}
++
++
+ void
+ test_bulk_install (TestSuite *suite)
+ {
+@@ -5230,4 +5279,11 @@
+       suite, "/BulkOperation/opts/let", test_bulk_let);
+    TestSuite_AddMockServerTest (
+       suite, "/BulkOperation/opts/let/multi", test_bulk_let_multi);
++   TestSuite_AddFull (
++      suite,
++      "/BulkOperation/big_let",
++      test_bulk_big_let,
++      NULL,
++      NULL,
++      test_framework_skip_if_max_wire_version_less_than_13 /* 5.0+ for 'let' 
support in CRUD commands */);
+ }
diff -Nru mongo-c-driver-1.23.1/debian/patches/series 
mongo-c-driver-1.23.1/debian/patches/series
--- mongo-c-driver-1.23.1/debian/patches/series 2025-04-18 16:28:00.000000000 
-0400
+++ mongo-c-driver-1.23.1/debian/patches/series 2025-12-18 15:54:33.000000000 
-0500
@@ -2,3 +2,4 @@
 CVE-2024-6381.patch
 CVE-2024-6383.patch
 CVE-2025-0755.patch
+CVE-2025-12119.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org\nVersion: 12.13\n\nThis update has been released as 
part of Debian 12.13.

--- End Message ---

Reply via email to