Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 936109 (CVE-2023-0437)

Summary: <dev-libs/libbson-2.24.4-r1: bson_utf8_validate on some inputs leads to an infinite loop
Product: Gentoo Security Reporter: Robert Förster <Dessa>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: UNCONFIRMED ---    
Severity: normal CC: ultrabug
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://jira.mongodb.org/browse/CDRIVER-4747
Whiteboard: B3 [stable?]
Package list:
Runtime testing required: ---

Description Robert Förster 2024-07-15 13:22:57 UTC 
CVE-2023-0437:

When calling bson_utf8_validate on some inputs a loop with an exit condition that cannot be reached may occur, i.e. an infinite loop. This issue affects All MongoDB C Driver versions prior to versions 1.25.0.
Comment 1 Larry the Git Cow gentoo-dev 2025-04-10 08:37:52 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e4010a3464c1b2de50164fb7bc551903f10016b3

commit e4010a3464c1b2de50164fb7bc551903f10016b3
Author:     Robert Förster <Dessa@gmake.de>
AuthorDate: 2025-04-07 19:45:29 +0000
Commit:     Alexys Jacob <ultrabug@gentoo.org>
CommitDate: 2025-04-10 08:37:40 +0000

    dev-libs/libbson: add fix for CVE-2023-0437, add proper python dep for sphinx
    
    Closes: https://bugs.gentoo.org/639540
    Closes: https://bugs.gentoo.org/721170
    Closes: https://bugs.gentoo.org/921953
    Bug: https://bugs.gentoo.org/936109
    Signed-off-by: Robert Förster <Dessa@gmake.de>
    Signed-off-by: Alexys Jacob <ultrabug@gentoo.org>

 dev-libs/libbson/Manifest                          |  1 +
 .../files/libbson-1.24.4-CVE-2023-0437.patch       | 25 +++++++++
 dev-libs/libbson/libbson-1.24.4-r1.ebuild          | 64 ++++++++++++++++++++++
 dev-libs/libbson/metadata.xml                      |  1 +
 4 files changed, 91 insertions(+)