bson before 0.8 incorrectly uses int rather than size_t for many variables, parameters, and return values. In particular, the bson_ensure_space() parameter bytesNeeded could have an integer overflow via properly constructed bson input. References: https://bugs.launchpad.net/ubuntu/+source/whoopsie/+bug/1872560 https://github.com/10gen-archive/mongo-c-driver-legacy/commit/1a1f5e26a4309480d88598913f9eebf9e9cba8ca#diff-f7d29a680148f52d6601f59ed787f577 Patch: https://launchpadlibrarian.net/474887364/bson-fix-overflow.patch
Created libbson tracking bugs for this issue: Affects: epel-all [bug 1834705] Affects: fedora-all [bug 1834706] Created mongo-c-driver tracking bugs for this issue: Affects: epel-all [bug 1834708] Affects: fedora-all [bug 1834707]
Statement: This flaw does not affect versions of bson that are shipped with Red Hat Software Collections packages. The vulnerable code is present in an older version of bson.
There is an integer overflow vulnerability in bson_append_estart()'s local len variable which is of type uint32_t. This variable is passed to bson_ensure_space() which in turn uses it in a call to realloc(), causing a heap buffer overflow when provided crafted input which causes the output of strlen (which is a size_t) to trigger an int overflow, since len is of type uint32_t. These functions are located in bson.c. For more details, see the code: bson_append_estart(): https://git.launchpad.net/ubuntu/+source/whoopsie/tree/lib/bson/bson.c?h=applied/0.2.69#n662 bson_ensure_space(): https://git.launchpad.net/ubuntu/+source/whoopsie/tree/lib/bson/bson.c?h=applied/0.2.69#n608
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-12135