Bug 1834703 (CVE-2020-12135)

Summary: CVE-2020-12135 bson: integer overflow in bson_ensure_space() parameter bytesNeeded
Product: [Other] Security Response Reporter: msiddiqu
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aileenc, avibelli, bgeorges, chazlett, databases-maint, dkreling, drieden, fedora, ggaughan, gmalinko, hhorak, janstey, jbalunas, jochrist, jorton, jpallich, jwon, krathod, lthon, mszynkie, panovotn, pgallagh, ppisar, rruss
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: mongo-c-driver-legacy 0.8.1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-05-14 03:15:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1834705, 1834706, 1834707, 1834708    
Bug Blocks: 1834709    

Description msiddiqu 2020-05-12 09:24:49 UTC 
bson before 0.8 incorrectly uses int rather than size_t for many variables, parameters, and return values. In particular, the bson_ensure_space() parameter bytesNeeded could have an integer overflow via properly constructed bson input.

References:

https://bugs.launchpad.net/ubuntu/+source/whoopsie/+bug/1872560
https://github.com/10gen-archive/mongo-c-driver-legacy/commit/1a1f5e26a4309480d88598913f9eebf9e9cba8ca#diff-f7d29a680148f52d6601f59ed787f577

Patch:
https://launchpadlibrarian.net/474887364/bson-fix-overflow.patch
Comment 1 msiddiqu 2020-05-12 09:25:44 UTC 
Created libbson tracking bugs for this issue:

Affects: epel-all [bug 1834705]
Affects: fedora-all [bug 1834706]


Created mongo-c-driver tracking bugs for this issue:

Affects: epel-all [bug 1834708]
Affects: fedora-all [bug 1834707]
Comment 3 Todd Cullum 2020-05-13 19:54:32 UTC 
Statement:

This flaw does not affect versions of bson that are shipped with Red Hat Software Collections packages. The vulnerable code is present in an older version of bson.
Comment 4 Todd Cullum 2020-05-13 20:17:58 UTC 
There is an integer overflow vulnerability in bson_append_estart()'s local len variable which is of type uint32_t. This variable is passed to bson_ensure_space() which in turn uses it in a call to realloc(), causing a heap buffer overflow when provided crafted input which causes the output of strlen (which is a size_t) to trigger an int overflow, since len is of type uint32_t. These functions are located in bson.c.

For more details, see the code:

bson_append_estart(): https://git.launchpad.net/ubuntu/+source/whoopsie/tree/lib/bson/bson.c?h=applied/0.2.69#n662

bson_ensure_space(): https://git.launchpad.net/ubuntu/+source/whoopsie/tree/lib/bson/bson.c?h=applied/0.2.69#n608
Comment 5 Product Security DevOps Team 2020-05-14 03:15:23 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-12135