Debian Bug report logs - #710597
pymongo: CVE-2013-2132: null pointer when decoding invalid DBRef

version graph

Package: pymongo; Maintainer for pymongo is Federico Ceratto <federico.ceratto@gmail.com>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Sat, 1 Jun 2013 08:57:01 UTC

Severity: grave

Tags: patch, security, upstream

Found in versions 2.2-4, 2.5-1

Fixed in versions 2.2-4+deb7u1, 2.5.2-1, pymongo/2.5.2-1

Done: Federico Ceratto <federico.ceratto@gmail.com>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Federico Ceratto <federico.ceratto@gmail.com>:
Bug#710597; Package pymongo. (Sat, 01 Jun 2013 08:57:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Federico Ceratto <federico.ceratto@gmail.com>. (Sat, 01 Jun 2013 08:57:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: pymongo: CVE-2013-2132: null pointer when decoding invalid DBRef
Date: Sat, 01 Jun 2013 10:54:49 +0200
Package: pymongo
Severity: grave
Tags: security upstream patch

Hi,

the following vulnerability was published for pymongo.

CVE-2013-2132[0]:
null pointer when decoding invalid DBRef

See [1] for details and upstream bugreport including reproducer for
the issue. A patch was applied upstream in [2].

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2132
    http://security-tracker.debian.org/tracker/CVE-2013-2132
[1] https://jira.mongodb.org/browse/PYTHON-532
[2] https://github.com/mongodb/mongo-python-driver/commit/a060c15ef87e0f0e72974c7c0e57fe811bbd06a2

I have checked 2.2-4, which seem affected. Please adjust the affected
versions in the BTS as needed.

Thanks for your work and regards,

Salvatore



Marked as found in versions 2.2-4. Request was from Federico Ceratto <federico.ceratto@gmail.com> to control@bugs.debian.org. (Sat, 01 Jun 2013 17:18:04 GMT) Full text and rfc822 format available.

Marked as found in versions 1.7-1. Request was from Federico Ceratto <federico.ceratto@gmail.com> to control@bugs.debian.org. (Sat, 01 Jun 2013 17:18:08 GMT) Full text and rfc822 format available.

Marked as found in versions 2.5-1. Request was from Federico Ceratto <federico.ceratto@gmail.com> to control@bugs.debian.org. (Sat, 01 Jun 2013 17:18:12 GMT) Full text and rfc822 format available.

No longer marked as found in versions 1.7-1. Request was from Federico Ceratto <federico.ceratto@gmail.com> to control@bugs.debian.org. (Sun, 02 Jun 2013 10:36:04 GMT) Full text and rfc822 format available.

Reply sent to Federico Ceratto <federico.ceratto@gmail.com>:
You have taken responsibility. (Sun, 02 Jun 2013 11:51:08 GMT) Full text and rfc822 format available.

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Sun, 02 Jun 2013 11:51:09 GMT) Full text and rfc822 format available.

Message #18 received at 710597-close@bugs.debian.org (full text, mbox):

From: Federico Ceratto <federico.ceratto@gmail.com>
To: 710597-close@bugs.debian.org
Subject: Bug#710597: fixed in pymongo 2.5.2-1
Date: Sun, 02 Jun 2013 11:48:19 +0000
Source: pymongo
Source-Version: 2.5.2-1

We believe that the bug you reported is fixed in the latest version of
pymongo, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 710597@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Federico Ceratto <federico.ceratto@gmail.com> (supplier of updated pymongo package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 02 Jun 2013 11:11:10 +0100
Source: pymongo
Binary: python-pymongo python3-pymongo python-pymongo-ext python-pymongo-doc python-gridfs python3-gridfs python-bson python3-bson python-bson-ext
Architecture: source amd64 all
Version: 2.5.2-1
Distribution: unstable
Urgency: high
Maintainer: Federico Ceratto <federico.ceratto@gmail.com>
Changed-By: Federico Ceratto <federico.ceratto@gmail.com>
Description: 
 python-bson - Python implementation of BSON for MongoDB
 python-bson-ext - C-coded extension to the python-bson package
 python-gridfs - Python implementation of GridFS for MongoDB
 python-pymongo - Python interface to the MongoDB document-oriented database
 python-pymongo-doc - Python interface to the MongoDB document-oriented database (docum
 python-pymongo-ext - C-coded extension to the python-pymongo package
 python3-bson - Python3 implementation of BSON for MongoDB
 python3-gridfs - Python3 implementation of GridFS for MongoDB
 python3-pymongo - Python3 interface to the MongoDB document-oriented database
Closes: 710597
Changes: 
 pymongo (2.5.2-1) unstable; urgency=high
 .
   * New upstream release. (Closes: #710597)
   * Releasing to unstable.
Checksums-Sha1: 
 0f4919a56f10793834e9f49e8f8f08e6c7298d21 1793 pymongo_2.5.2-1.dsc
 2ef234fcae46328e95d8dfbc9fb08fbe50893a68 305155 pymongo_2.5.2.orig.tar.gz
 4c0507a78a33052b4a5459002545a52066682c39 4317 pymongo_2.5.2-1.debian.tar.gz
 8d22a8fcfe77eb48a116a6f49a4bded1be00685c 110042 python-pymongo_2.5.2-1_amd64.deb
 adaee6b08f05f8d7efe27f89e7afb41a6c9d5d3e 107872 python3-pymongo_2.5.2-1_amd64.deb
 18fdf1c9beb6519909efb7548d6d67bf84864f50 25086 python-pymongo-ext_2.5.2-1_amd64.deb
 bc83719c0ba9ff9cd3e57caec7ff54fe0b8a507e 1096406 python-pymongo-doc_2.5.2-1_all.deb
 77192b0e1e63040c4f73737df5df6a4f6834c3f5 24364 python-gridfs_2.5.2-1_all.deb
 a5010c16c5512cfd4392831ed6f7fcad453c6372 24618 python3-gridfs_2.5.2-1_all.deb
 40f21c96e6fb26c65abc8768914479941800d780 32964 python-bson_2.5.2-1_amd64.deb
 d169dfe1f7bbbb652c0ef5385bac15d1cbdb5ca9 33058 python3-bson_2.5.2-1_amd64.deb
 7b37dc6d7714dbba75912a802acf1c2baf12e561 66524 python-bson-ext_2.5.2-1_amd64.deb
Checksums-Sha256: 
 0b299aea8393351379319fc1b58c6dca2dc19b74fffdd9ce2e0269fde1b127ed 1793 pymongo_2.5.2-1.dsc
 641e8e7d19abdd43d5e8ee2f14b82632d7d1deb6cb1b05a82b68b0711b31c307 305155 pymongo_2.5.2.orig.tar.gz
 73fe1a84731bf72fb4674cda0fa9ab455ab3bd2c96a29780ee73205ed62cd787 4317 pymongo_2.5.2-1.debian.tar.gz
 cbdc82781d2e00dafc55e0bac1c5cb22601570b5bc3db7d242e5a32f69569d2b 110042 python-pymongo_2.5.2-1_amd64.deb
 70c26f80d25ca8ef73c18f41d5aba71ecc0b771bcb3893f50b019e9679a061b5 107872 python3-pymongo_2.5.2-1_amd64.deb
 789978a34d07ae4c66ad2b0560e324e0f9aedce76a41eed3e5716268eeebdf94 25086 python-pymongo-ext_2.5.2-1_amd64.deb
 a61dcb5e75c72e7fda7d8b4cc486329de662413d21c7a24f093cca35db5c30b7 1096406 python-pymongo-doc_2.5.2-1_all.deb
 3212514ca0c0b4e45fa7eaa44094413863cd2b21e9f2e615fb328bb36e471217 24364 python-gridfs_2.5.2-1_all.deb
 d3b5637b6b8851ff4983319b74ed86787d8e24f2af239ce096fcf5608f7ae3ef 24618 python3-gridfs_2.5.2-1_all.deb
 260e6c7b9b20f9aef45e8dcb48009c8f0c0a38bd0f3b90f24a71dfbe8a54aca4 32964 python-bson_2.5.2-1_amd64.deb
 55aa77e5e6a9cd8e9b8c4ccb4bcfc220e9583fb3a83540d4bd8332d5197267c1 33058 python3-bson_2.5.2-1_amd64.deb
 ae994fe52b2a330cf7867b9212ad3f9219038836fe64cf9c412c888b6803e844 66524 python-bson-ext_2.5.2-1_amd64.deb
Files: 
 90ca4bfd7f2e6089e10338a8fad6ba8a 1793 python optional pymongo_2.5.2-1.dsc
 7f5b74383acc00119b492e1a48568be6 305155 python optional pymongo_2.5.2.orig.tar.gz
 5e635aa19174ac8a65a718d9359c2fa9 4317 python optional pymongo_2.5.2-1.debian.tar.gz
 4b962188da381fdbee388c21d9150b23 110042 python optional python-pymongo_2.5.2-1_amd64.deb
 267f93c76692639830a74e393b6310d5 107872 python optional python3-pymongo_2.5.2-1_amd64.deb
 3e5526de8af4cfba5ae124e5b77d1a0e 25086 python optional python-pymongo-ext_2.5.2-1_amd64.deb
 17e7eed270b53cac8368fdae9c3f87c5 1096406 doc optional python-pymongo-doc_2.5.2-1_all.deb
 ddbfd74487d6fb902f8a0c969723744a 24364 python optional python-gridfs_2.5.2-1_all.deb
 edc3a029b3dea09b591d440d3dca5043 24618 python optional python3-gridfs_2.5.2-1_all.deb
 59775bef3b43456ce842ce071c3975a1 32964 python optional python-bson_2.5.2-1_amd64.deb
 1c7f4eb56dcac30936aa777d41fce4b5 33058 python optional python3-bson_2.5.2-1_amd64.deb
 52266b6a53c345fd96c10227b1abe7ad 66524 python optional python-bson-ext_2.5.2-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlGrLSQACgkQXjJjA8mLXV3iIQCfRWf2/XPmimJumjS/NskxnDld
x6sAn1p76Je9B6fbZCb+uhsEkpPnOjRC
=KcSW
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Federico Ceratto <federico.ceratto@gmail.com>:
Bug#710597; Package pymongo. (Mon, 03 Jun 2013 18:06:15 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Federico Ceratto <federico.ceratto@gmail.com>. (Mon, 03 Jun 2013 18:06:15 GMT) Full text and rfc822 format available.

Message #23 received at 710597@bugs.debian.org (full text, mbox):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
To: Federico Ceratto <federico.ceratto@gmail.com>
Cc: 710597@bugs.debian.org
Subject: Re: Bug#710597: marked as done (pymongo: CVE-2013-2132: null pointer when decoding invalid DBRef)
Date: Mon, 03 Jun 2013 19:04:28 +0100
On Sun, 2013-06-02 at 11:51 +0000, Debian Bug Tracking System wrote:
> >  pymongo (2.5.2-1) unstable; urgency=high
> >  .
> >    * New upstream release. (Closes: #710597)
> >    * Releasing to unstable.

Please use more descriptive changelog entries in future. #710597 was not
about a request for a new upstream release.

Regards,

Adam




Information forwarded to debian-bugs-dist@lists.debian.org, Federico Ceratto <federico.ceratto@gmail.com>:
Bug#710597; Package pymongo. (Wed, 05 Jun 2013 08:33:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Federico Ceratto <federico.ceratto@gmail.com>. (Wed, 05 Jun 2013 08:33:04 GMT) Full text and rfc822 format available.

Message #28 received at 710597@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 710597@bugs.debian.org
Subject: Re: Bug#710597: pymongo: CVE-2013-2132: null pointer when decoding invalid DBRef
Date: Wed, 5 Jun 2013 10:31:09 +0200
Hi Federico

On Sat, Jun 01, 2013 at 10:54:49AM +0200, Salvatore Bonaccorso wrote:
> Package: pymongo
> Severity: grave
> Tags: security upstream patch
> 
> Hi,
> 
> the following vulnerability was published for pymongo.
> 
> CVE-2013-2132[0]:
> null pointer when decoding invalid DBRef
> 
> See [1] for details and upstream bugreport including reproducer for
> the issue. A patch was applied upstream in [2].
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2132
>     http://security-tracker.debian.org/tracker/CVE-2013-2132
> [1] https://jira.mongodb.org/browse/PYTHON-532
> [2] https://github.com/mongodb/mongo-python-driver/commit/a060c15ef87e0f0e72974c7c0e57fe811bbd06a2
> 
> I have checked 2.2-4, which seem affected. Please adjust the affected
> versions in the BTS as needed.

Thanks for having fixed that quickly already by the upload to
unstable. Could you also prepare a fix for wheezy to be included
trough a stable-proposed-update? (Note: Please contact stable release
managers in advance before uploading, preferably via bugreport against
release.debian.org with the debdiff).

(Side note to what Adam wrote already: Adding the CVE in changelog
helps us furthermore a lot to track the issues fixed; apart having
documented the security fix in changelog).

Thank you for your work!

Regards,
Salvatore



Marked as fixed in versions 2.2-4+deb7u1. Request was from Federico Ceratto <federico.ceratto@gmail.com> to control@bugs.debian.org. (Mon, 10 Jun 2013 22:54:05 GMT) Full text and rfc822 format available.

Marked as fixed in versions 2.5.2-1. Request was from Federico Ceratto <federico.ceratto@gmail.com> to control@bugs.debian.org. (Mon, 10 Jun 2013 22:54:08 GMT) Full text and rfc822 format available.

Reply sent to Federico Ceratto <federico.ceratto@gmail.com>:
You have taken responsibility. (Sun, 16 Jun 2013 18:36:12 GMT) Full text and rfc822 format available.

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Sun, 16 Jun 2013 18:36:12 GMT) Full text and rfc822 format available.

Message #37 received at 710597-close@bugs.debian.org (full text, mbox):

From: Federico Ceratto <federico.ceratto@gmail.com>
To: 710597-close@bugs.debian.org
Subject: Bug#710597: fixed in pymongo 2.2-4+deb7u1
Date: Sun, 16 Jun 2013 18:34:26 +0000
Source: pymongo
Source-Version: 2.2-4+deb7u1

We believe that the bug you reported is fixed in the latest version of
pymongo, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 710597@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Federico Ceratto <federico.ceratto@gmail.com> (supplier of updated pymongo package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 01 Jun 2013 18:38:42 +0100
Source: pymongo
Binary: python-pymongo python-pymongo-ext python-pymongo-doc python-gridfs python-bson python-bson-ext
Architecture: source amd64 all
Version: 2.2-4+deb7u1
Distribution: stable-security
Urgency: high
Maintainer: Federico Ceratto <federico.ceratto@gmail.com>
Changed-By: Federico Ceratto <federico.ceratto@gmail.com>
Description: 
 python-bson - Python implementation of BSON for MongoDB
 python-bson-ext - C-coded extension to the python-bson package
 python-gridfs - Python implementation of GridFS for MongoDB
 python-pymongo - Python interface to the MongoDB document-oriented database
 python-pymongo-doc - Python interface to the MongoDB document-oriented database (docum
 python-pymongo-ext - C-coded extension to the python-pymongo package
Closes: 710597
Changes: 
 pymongo (2.2-4+deb7u1) stable-security; urgency=high
 .
   * Fix "CVE-2013-2132: null pointer when decoding invalid DBRef"
     Backported upstream patches from version 2.5 (Closes: #710597)
Checksums-Sha1: 
 deaea9acff70c0c078a4668df3e62b59037cf2b1 1630 pymongo_2.2-4+deb7u1.dsc
 09afcc6ea6b19a908df07401215c7e2ed8f89523 228794 pymongo_2.2.orig.tar.gz
 78b23576c8c560ea10917939b75ee580ae065da0 6871 pymongo_2.2-4+deb7u1.debian.tar.gz
 23bdf36e7bc202a49bc49c297f5e4da4457d44b7 81840 python-pymongo_2.2-4+deb7u1_amd64.deb
 ff470a6744460e35a94b896af057f95feda336c2 22900 python-pymongo-ext_2.2-4+deb7u1_amd64.deb
 70f2fd4115c422edafb912700dff531058b49d66 846246 python-pymongo-doc_2.2-4+deb7u1_all.deb
 e57ca38b8dc95094b9d9500c7be72d85c52c77bb 24908 python-gridfs_2.2-4+deb7u1_all.deb
 0b5a57e90c275f8bd7eeecc806f660969d159909 32516 python-bson_2.2-4+deb7u1_amd64.deb
 41d27a93cc94ce79c8b3d4c92d9f609145418f4c 49596 python-bson-ext_2.2-4+deb7u1_amd64.deb
Checksums-Sha256: 
 7913616323d2a9945a6db3263f491c495b6c365c4af62bc7adfd1536954293d3 1630 pymongo_2.2-4+deb7u1.dsc
 ac7952896ecfd5d9b4b9d8bb0077c95a0296ea21374df85e2ca32c237c0be57f 228794 pymongo_2.2.orig.tar.gz
 12c221843b77f81197a840404d6cc570c74a914f1cde7017619b9317ea493045 6871 pymongo_2.2-4+deb7u1.debian.tar.gz
 1526aad8bcb8f3a28bc82cad487066b3dc1c0492984b49b6ddaafdaba8fc93e5 81840 python-pymongo_2.2-4+deb7u1_amd64.deb
 1f9081e635cd384fa67c58aee0d2d271f25487d4bb01d9c4de2a751582a32965 22900 python-pymongo-ext_2.2-4+deb7u1_amd64.deb
 4c324bb0e33a294d457f4cc58956896ff2156337e14b0e94274524af9971c026 846246 python-pymongo-doc_2.2-4+deb7u1_all.deb
 e647a2e3e244c70251687542ba2cfc3f9a4f1a4fb7560c0bdc20fed85314f7c0 24908 python-gridfs_2.2-4+deb7u1_all.deb
 ecd162175facce9aeac1dca1765bae255b0cdcb2743da00caa96c17104a338d0 32516 python-bson_2.2-4+deb7u1_amd64.deb
 fc735e5c3aee20baaf268c290dff6dc1adbbcdad804a7d31762926d317f24b53 49596 python-bson-ext_2.2-4+deb7u1_amd64.deb
Files: 
 f9646eadab35807d3aed8deb9d0f024f 1630 python optional pymongo_2.2-4+deb7u1.dsc
 101dd4ae59bdd487f67b3a3968a82c8c 228794 python optional pymongo_2.2.orig.tar.gz
 9a14cbbfc4af120d54ce88b70435ea2e 6871 python optional pymongo_2.2-4+deb7u1.debian.tar.gz
 53ccf5a7aadac01e65213184ec84ceaf 81840 python optional python-pymongo_2.2-4+deb7u1_amd64.deb
 5f1729043d662bb4587a8a828a950b43 22900 python optional python-pymongo-ext_2.2-4+deb7u1_amd64.deb
 e1081a9b82f15ace4abab2e7bfe2ef4c 846246 doc optional python-pymongo-doc_2.2-4+deb7u1_all.deb
 47a164cba32e2cf778095f7e9ff66d89 24908 python optional python-gridfs_2.2-4+deb7u1_all.deb
 7cead2b6c2a3085a7ee32efdcc57e73f 32516 python optional python-bson_2.2-4+deb7u1_amd64.deb
 cc533d4b9ba1e7bd0be1cf0f65bb5bfe 49596 python optional python-bson-ext_2.2-4+deb7u1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlGvMZQACgkQNxpp46476ap0iACfThdlk5ElUMSxrlDsZPYHy+yM
994An2ryaWl857C6KEHnjDBThn4MTCDV
=kWAi
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 31 Oct 2013 07:35:53 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 10:16:35 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.