Debian Bug report logs - #704042
CVE-2013-1892 -- mongodb: Remote shell access via run method's use of native_helper

version graph

Package: mongodb; Maintainer for mongodb is Laszlo Boszormenyi (GCS) <gcs@debian.org>; Source for mongodb is src:mongodb.

Reported by: Prach Pongpanich <prachpub@gmail.com>

Date: Wed, 27 Mar 2013 08:57:06 UTC

Severity: grave

Tags: patch, security, upstream

Found in versions mongodb/1:2.0.6-1, mongodb/1:1.4.4-3

Fixed in versions mongodb/1:2.0.6-1.1, mongodb/1:2.4.1-1

Done: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Antonin Kral <A.Kral@sh.cvut.cz>:
Bug#704042; Package mongodb. (Wed, 27 Mar 2013 08:57:10 GMT) Full text and rfc822 format available.

Acknowledgement sent to Prach Pongpanich <prachpub@gmail.com>:
New Bug report received and forwarded. Copy sent to Antonin Kral <A.Kral@sh.cvut.cz>. (Wed, 27 Mar 2013 08:57:10 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Prach Pongpanich <prachpub@gmail.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2013-1892 -- mongodb: Remote shell access via run method's use of native_helper
Date: Wed, 27 Mar 2013 15:54:21 +0700
Package: mongodb
Severity: grave
Tags: security

Dear Maintainer,


Please see here for details [1] and a link to the upstream commit [2]:

[1] https://security-tracker.debian.org/tracker/CVE-2013-1892

[2] https://jira.mongodb.org/browse/SERVER-9124

Regrads

-- 
 Prach Pongpanich



Information forwarded to debian-bugs-dist@lists.debian.org, Antonin Kral <A.Kral@sh.cvut.cz>:
Bug#704042; Package mongodb. (Wed, 27 Mar 2013 12:06:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>:
Extra info received and forwarded to list. Copy sent to Antonin Kral <A.Kral@sh.cvut.cz>. (Wed, 27 Mar 2013 12:06:03 GMT) Full text and rfc822 format available.

Message #10 received at 704042@bugs.debian.org (full text, mbox):

From: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
To: Prach Pongpanich <prachpub@gmail.com>, 704042@bugs.debian.org, control@bugs.debian.org
Subject: Re: CVE-2013-1892 -- mongodb: Remote shell access via run method's use of native_helper
Date: Wed, 27 Mar 2013 13:02:20 +0100
[Message part 1 (text/plain, inline)]
tags 704042 patch
tags 704042 upstream
thanks

I have extracted the two patches which have been committed by upstream 
to address the issue, attaching them. Will create a package ready for 
NMU later to help speed things up if desired.

Cheers,

Adrian

-- 
 .''`.  John Paul Adrian Glaubitz
: :' :  Debian Developer - glaubitz@debian.org
`. `'   Freie Universitaet Berlin - glaubitz@physik.fu-berlin.de
  `-    GPG: 62FF 8A75 84E0 2956 9546  0006 7426 3B37 F5B5 F913
[0001-SERVER-9124-Avoid-raw-pointers-for-SM-s-nativeHelper.patch (text/x-patch, attachment)]
[0001-SERVER-9124-cast-id-to-double-before-converting-to-J.patch (text/x-patch, attachment)]

Added tag(s) patch. Request was from John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de> to control@bugs.debian.org. (Wed, 27 Mar 2013 12:06:06 GMT) Full text and rfc822 format available.

Added tag(s) upstream. Request was from John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de> to control@bugs.debian.org. (Wed, 27 Mar 2013 12:06:07 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Antonin Kral <A.Kral@sh.cvut.cz>:
Bug#704042; Package mongodb. (Wed, 27 Mar 2013 12:36:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Antonin Kral <A.Kral@bobek.cz>:
Extra info received and forwarded to list. Copy sent to Antonin Kral <A.Kral@sh.cvut.cz>. (Wed, 27 Mar 2013 12:36:07 GMT) Full text and rfc822 format available.

Message #19 received at 704042@bugs.debian.org (full text, mbox):

From: Antonin Kral <A.Kral@bobek.cz>
To: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>, 704042@bugs.debian.org
Cc: Prach Pongpanich <prachpub@gmail.com>, control@bugs.debian.org
Subject: Re: Bug#704042: CVE-2013-1892 -- mongodb: Remote shell access via run method's use of native_helper
Date: Wed, 27 Mar 2013 13:25:34 +0100
Hi all,

thank you very much for the effort. Can you please do NMU for me? I am
on quite distant location for next 2 days and the Internet connection is
not well enough to upload anything bigger then email.

Thank you,

        Antonin

* John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de> [2013-03-27 13:15] wrote:
> tags 704042 patch
> tags 704042 upstream
> thanks
>
> I have extracted the two patches which have been committed by
> upstream to address the issue, attaching them. Will create a package
> ready for NMU later to help speed things up if desired.
>
> Cheers,
>
> Adrian
>
> --
>  .''`.  John Paul Adrian Glaubitz
> : :' :  Debian Developer - glaubitz@debian.org
> `. `'   Freie Universitaet Berlin - glaubitz@physik.fu-berlin.de
>   `-    GPG: 62FF 8A75 84E0 2956 9546  0006 7426 3B37 F5B5 F913





Reply sent to John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>:
You have taken responsibility. (Wed, 27 Mar 2013 12:51:14 GMT) Full text and rfc822 format available.

Notification sent to Prach Pongpanich <prachpub@gmail.com>:
Bug acknowledged by developer. (Wed, 27 Mar 2013 12:51:14 GMT) Full text and rfc822 format available.

Message #24 received at 704042-close@bugs.debian.org (full text, mbox):

From: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
To: 704042-close@bugs.debian.org
Subject: Bug#704042: fixed in mongodb 1:2.0.6-1.1
Date: Wed, 27 Mar 2013 12:48:01 +0000
Source: mongodb
Source-Version: 1:2.0.6-1.1

We believe that the bug you reported is fixed in the latest version of
mongodb, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 704042@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de> (supplier of updated mongodb package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 27 Mar 2013 13:08:10 +0100
Source: mongodb
Binary: mongodb mongodb-server mongodb-clients mongodb-dev
Architecture: source amd64
Version: 1:2.0.6-1.1
Distribution: testing-proposed-updates
Urgency: high
Maintainer: Antonin Kral <A.Kral@sh.cvut.cz>
Changed-By: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
Description: 
 mongodb    - object/document-oriented database (metapackage)
 mongodb-clients - object/document-oriented database (client apps)
 mongodb-dev - object/document-oriented database (development)
 mongodb-server - object/document-oriented database (server package)
Closes: 704042
Changes: 
 mongodb (1:2.0.6-1.1) testing-proposed-updates; urgency=high
 .
   * Non-maintainer upload.
   * Include patch to address remote vulnerability
     CVE-2013-1895 (Closes: #704042).
Checksums-Sha1: 
 b02a71c4fded6618f1fb1f1ca053c30f28572046 2251 mongodb_2.0.6-1.1.dsc
 0e276274e32c589117635f3d6df0ff0d64a62ae0 2836857 mongodb_2.0.6.orig.tar.gz
 89cf9e1753394eb8b79752ab8b8e344aea004b41 24331 mongodb_2.0.6-1.1.debian.tar.gz
 7abfa70e320ccbb5d67a170f7d1be9b5a9064965 10456 mongodb_2.0.6-1.1_amd64.deb
 d7a62719a1a5d8d00858c4a5cebab6ca8bf72fad 4307718 mongodb-server_2.0.6-1.1_amd64.deb
 b0d0440484fc8550c028fe764c3a5e45a4ac6cd7 16793134 mongodb-clients_2.0.6-1.1_amd64.deb
 cfbfe473cc54c6a26b645f00f858330a5c918424 1907698 mongodb-dev_2.0.6-1.1_amd64.deb
Checksums-Sha256: 
 2a66b9455d9a406ae047a7b7fa0e56c17f0794ff2f03a9bc1454dbe2bd53d12f 2251 mongodb_2.0.6-1.1.dsc
 201133a810c908140ea00f84c8257a96cdd6bb84fa0c0a33e42e478628666c3f 2836857 mongodb_2.0.6.orig.tar.gz
 00299de114246e1b3f24d556a17a985b58a2a032e63163d3c308ef1eec02298d 24331 mongodb_2.0.6-1.1.debian.tar.gz
 2631c62a0d28228a47aed1782fd51b6623ee93d139b19cc3e498667c446bdd96 10456 mongodb_2.0.6-1.1_amd64.deb
 0c225302fabe322d5cc1bfd96097117a94e2ed1b7b0498acc7720cc24d6af710 4307718 mongodb-server_2.0.6-1.1_amd64.deb
 aaad56ea212a7082694d1f9304a6eb3963a368b68c53df5921cc78a3b4c1f3b2 16793134 mongodb-clients_2.0.6-1.1_amd64.deb
 d1a7c974050ad413c11afbe5af4da26f7e006172582b7cf141718df16e5c192f 1907698 mongodb-dev_2.0.6-1.1_amd64.deb
Files: 
 2463a70340dc8ab401137a9a834c9842 2251 database optional mongodb_2.0.6-1.1.dsc
 111521f1b6b3379b4dd5fbc1e8f038cf 2836857 database optional mongodb_2.0.6.orig.tar.gz
 9ceb596dd2608b2164993b4867c2251b 24331 database optional mongodb_2.0.6-1.1.debian.tar.gz
 ad764fdfbf1f98160d46054d925887ac 10456 database optional mongodb_2.0.6-1.1_amd64.deb
 15e14000f1bd2c77afca93f6a9c8eb07 4307718 database optional mongodb-server_2.0.6-1.1_amd64.deb
 e44aabe6b1cd76b8a366151ed7dd5bb3 16793134 database optional mongodb-clients_2.0.6-1.1_amd64.deb
 12b8952deefb0bfc5ddd506507c8fb1d 1907698 libdevel optional mongodb-dev_2.0.6-1.1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJRUuejAAoJEHQmOzf1tfkTL7YQAIR80wKIvoBkmBLbWKZE8UKM
G8f2mZB2l+X3oQ+P+Nd3JLjAESEjEUb7wubJZZsaq8C6/LsZxCDFDBX5QWB/MJs5
vm2KjZvLfysVrN2a4oy/ARvexpvwfBVPyQEk92Uh/0xmYprRuLvogm77MWiwddOI
Ns9/zAVmKSKaBnA9DgCW9vlc7LzBGL0NhGBnh3/t4VKwpRKNLKyykVaDutgq46uf
WkryrfCNf6vmgvWR9j0NBKfkM6TFlDPdYDSCJa408FFiYKIM1xr3MXYsDO3/wE7g
CjgcQ3tRBpsAE7lM9YV90/kVKS5RrLYeJ6CKE2GrEkZg0QqJIk8LxuFRbzIoFPgz
Huw27ELsBULneFcqkoDlU9fLBYG0cndluj60eQPGLgZyzL+x0rO6a2BwRXpiAPrK
rN01s3fS4LOuUD+iEMdBfZStxGWmAulH3tvcx/iWVVyx1K9rQzi6kNUnRLT+sbhm
SNRTwRZGbYqNogxEh0RpSQoo0sBkFD/L2TBAcqLdvdCLuAjwNiafAq/D711ODrpq
SBcuKXjfRRtSmETFAShdbNbiEKPKPbGflrs5EteeNAdIF2x2/8ikEaakbqoy7ymu
n/CWcukxSAz5J/z/QMP0Kz5HnsRdYSrLoge40CJq+JLUSxe2yTwDP+T3RecLVPwR
hLv1uECl4DWRqrWjjbrU
=uHx3
-----END PGP SIGNATURE-----




Marked as fixed in versions mongodb/1:2.4.1-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Wed, 27 Mar 2013 14:48:04 GMT) Full text and rfc822 format available.

Marked as found in versions mongodb/1:2.0.6-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Wed, 27 Mar 2013 20:18:07 GMT) Full text and rfc822 format available.

Marked as found in versions mongodb/1:1.4.4-3. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Fri, 29 Mar 2013 05:57:07 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 05 May 2013 07:44:02 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 15:33:48 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.