Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 838253 (CVE-2021-32040, CVE-2022-24272)

Summary: <dev-db/mongodb-{4.2.17,4.4.20,5.0.5}: stack overflow
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: hydrapolic, ultrabug
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [noglsa]
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-04-13 19:30:14 UTC
CVE-2021-32040 (https://jira.mongodb.org/browse/SERVER-58203):
https://jira.mongodb.org/browse/SERVER-60218
https://jira.mongodb.org/browse/SERVER-59299

It may be possible to have an extremely long aggregation pipeline in conjunction with a specific stage/operator and cause a stack overflow due to the size of the stack frames used by that stage. If an attacker could cause such an aggregation to occur, they could maliciously crash MongoDB in a DoS attack. This vulnerability affects MongoDB versions prior to 5.0.4, 4.4.11, 4.2.16.

Fix in 5.0.4, 4.4.11, 4.2.16, please stabilize fixed versions and bump
the 4.4.x branch.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-04-21 22:24:52 UTC
CVE-2022-24272 (https://jira.mongodb.org/browse/SERVER-63968):

An authenticated user may trigger an invariant assertion during command dispatch due to incorrect validation on the $external database. This may result in mongod denial of service or server crash. This issue affects: MongoDB Inc. MongoDB Server v5.0 versions, prior to and including v5.0.6.
Comment 2 Ultrabug gentoo-dev 2023-05-16 08:00:22 UTC
no vulnerable version in tree anymore AFAIK
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-05-25 03:16:22 UTC
(In reply to Ultrabug from comment #2)
> no vulnerable version in tree anymore AFAIK

The security team is supposed to take care of closing security bugs.
Comment 4 Ultrabug gentoo-dev 2023-05-26 08:40:15 UTC
I apologize, you're right