944308 – (CVE-2024-10921) <dev-db/mongodb-5.0.30: Improper neutralization of null bytes may lead to buffer over-reads

Bug 944308 (CVE-2024-10921) - <dev-db/mongodb-5.0.30: Improper neutralization of null bytes may lead to buffer over-reads

Summary: <dev-db/mongodb-5.0.30: Improper neutralization of null bytes may lead to buf...

Status:	UNCONFIRMED

Alias:	CVE-2024-10921

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:	https://jira.mongodb.org/browse/SERVE...
Whiteboard:	B3 [glsa?]
Keywords:	PullRequest

Depends on:	951686
Blocks:
	Show dependency tree

Reported:	2024-11-21 13:20 UTC by Robert Förster
Modified:	2025-04-07 07:03 UTC (History)
CC List:	1 user (show)

See Also:	https://github.com/gentoo/gentoo/pull/41271
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Robert Förster 2024-11-21 13:20:56 UTC

CVE-2024-10921:

An authorized user may trigger crashes or receive the contents of buffer over-reads of Server memory by issuing specially crafted requests that construct malformed BSON in the MongoDB Server. This issue affects MongoDB Server v5.0 versions prior to 5.0.30 , MongoDB Server v6.0 versions prior to 6.0.19, MongoDB Server v7.0 versions prior to 7.0.15 and MongoDB Server v8.0 versions prior to and including 8.0.2.

Comment 1 Larry the Git Cow gentoo-dev

2024-12-11 05:48:40 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a1ade7128433fd35f41e4f4b83de9f387b1d19f7

commit a1ade7128433fd35f41e4f4b83de9f387b1d19f7
Author:     Robert Förster <Dessa@gmake.de>
AuthorDate: 2024-09-10 14:13:00 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2024-12-11 05:45:55 +0000

    dev-db/mongodb: add 5.0.30
    
    Closes: https://bugs.gentoo.org/843329
    Closes: https://bugs.gentoo.org/908987
    Closes: https://bugs.gentoo.org/932278
    Closes: https://bugs.gentoo.org/938962
    Bug: https://bugs.gentoo.org/944308
    Signed-off-by: Robert Förster <Dessa@gmake.de>
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-db/mongodb/Manifest                          |   1 +
 dev-db/mongodb/files/mongodb-5.0.30-gcc-11.patch |  12 ++
 dev-db/mongodb/files/mongodb-5.0.30-gcc-15.patch |  13 ++
 dev-db/mongodb/metadata.xml                      |   1 +
 dev-db/mongodb/mongodb-5.0.30.ebuild             | 211 +++++++++++++++++++++++
 5 files changed, 238 insertions(+)

Comment 2 Larry the Git Cow gentoo-dev

2025-04-06 16:31:33 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=67c9df527f29fb5bb2cc7b7918d237ba79b0152f

commit 67c9df527f29fb5bb2cc7b7918d237ba79b0152f
Author:     Robert Förster <Dessa@gmake.de>
AuthorDate: 2025-03-24 20:55:21 +0000
Commit:     Jay Faulkner <jayf@gentoo.org>
CommitDate: 2025-04-06 16:29:34 +0000

    dev-db/mongodb: drop 5.0.26
    
    Bug: https://bugs.gentoo.org/944308
    Closes: https://bugs.gentoo.org/942112
    Signed-off-by: Robert Förster <Dessa@gmake.de>
    Closes: https://github.com/gentoo/gentoo/pull/41271
    Signed-off-by: Jay Faulkner <jayf@gentoo.org>

 dev-db/mongodb/Manifest                        |   1 -
 dev-db/mongodb/files/mongodb-4.4.1-gcc11.patch |  12 --
 dev-db/mongodb/mongodb-5.0.26.ebuild           | 211 -------------------------
 3 files changed, 224 deletions(-)