Bug 15591

Summary: mongodb new security issue CVE-2015-1609
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: olchal, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/638448/
Whiteboard: has_procedure advisory MGA4-32-OK MGA4-64-OK
Source RPM: mongodb-2.4.9-3.mga5.src.rpm CVE:
Status comment:
Attachments: mongodb : Full testing procedure I used

Description David Walser 2015-03-30 16:05:54 CEST 
Fedora has issued an advisory on March 19:
https://lists.fedoraproject.org/pipermail/package-announce/2015-March/153690.html

The issue is fixed upstream in 2.4.13.

The upstream patch to fix the issue is linked in the RedHat bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1200446

Mageia 4 and Mageia 5 are affected.

Reproducible: 

Steps to Reproduce:
David Walser 2015-03-30 16:06:01 CEST

Whiteboard: (none) => MGA5TOO, MGA4TOO

Comment 1 David Walser 2015-03-30 17:32:37 CEST 
Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=12251#c3

I don't see a PoC.
Comment 2 David Walser 2015-03-30 17:32:56 CEST 
Upstream patch checked into Mageia 4 and Cauldron SVN.

Freeze push requested for Cauldron.
Comment 3 David Walser 2015-03-30 18:08:45 CEST 
Patched packages uploaded for Mageia 4 and Cauldron.

See the test procedure linked in Comment 1.

Advisory:
========================

Updated mongodb packages fix security vulnerability:

It was found that the mongod server did not correctly validate certain
malformed BSON requests. A remote, unauthenticated  attacker could use a
specially crafted BSON message to crash a mongod server (CVE-2015-1609).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0252
https://lists.fedoraproject.org/pipermail/package-announce/2015-March/153690.html
========================

Updated packages in core/updates_testing:
========================
mongodb-2.4.6-2.2.mga4
mongodb-server-2.4.6-2.2.mga4

from mongodb-2.4.6-2.2.mga4.src.rpm

Version: Cauldron => 4
Assignee: bugsquad => qa-bugs
Whiteboard: MGA5TOO, MGA4TOO => has_procedure

Comment 4 olivier charles 2015-03-30 22:07:17 CEST 
Testing on Mageia4x32 real hardware, following instructions :
http://docs.mongodb.org/manual/tutorial/getting-started/ (mentioned in Comment 1)

From current packages :
---------------------
mongodb-2.4.6-2.1.mga4
mongodb-server-2.4.6-2.1.mga4

# systemctl start mongod
# systemctl status mongod
mongod.service - High-performance, schema-free document-oriented database
   Loaded: loaded (/usr/lib/systemd/system/mongod.service; enabled)
   Active: active (running) since lun. 2015-03-30 21:21:01 CEST; 8s ago

$ mongo
MongoDB shell version: 2.4.6
connecting to: test
(...) (some warnings about using a 32bits version)
>
used several commands in mongodb shell to show dbname, logs, create new db, create collection, documents, multiple documents, query collection, iterate query...)
Finally deleted the 2 databases :
> use mydb
switched to db mydb
> db.dropDatabase();
{ "dropped" : "mydb", "ok" : 1 }
> use test
switched to db test
> db.dropDatabase();
{ "dropped" : "test", "ok" : 1 }
> exit;
# systemctl stop mongod

Updated to testing packages :
---------------------------
mongodb-2.4.6-2.2.mga4
mongodb-server-2.4.6-2.2.mga4

# systemctl start mongod
# systemctl status mongod
mongod.service - High-performance, schema-free document-oriented database
   Loaded: loaded (/usr/lib/systemd/system/mongod.service; enabled)
   Active: active (running) since lun. 2015-03-30 21:49:16 CEST; 4s ago
(...)

Followed the same procedure.

All OK

CC: (none) => olchal
Whiteboard: has_procedure => has_procedure MGA4-32-OK

Comment 5 olivier charles 2015-03-30 22:10:00 CEST 
Created attachment 6163 [details]
mongodb : Full testing procedure I used


In attachment : full testing procedure I used
Comment 6 olivier charles 2015-04-01 23:15:47 CEST 
Testing on Mageia4x64 real hardware using quite the same procedure as in comment 4

From current packages :
---------------------
mongodb-2.4.6-2.1.mga4
mongodb-server-2.4.6-2.1.mga4

OK
This time I did not drop database "mydb" to verify I could find it after updating


To updated testing packages :
---------------------------
mongodb-2.4.6-2.2.mga4
mongodb-server-2.4.6-2.2.mga4

Could find "mydb" after update.

Followed then same procedure.

mongodb and mongodb-server running OK

Whiteboard: has_procedure MGA4-32-OK => has_procedure MGA4-32-OK MGA4-64-OK

Comment 7 claire robinson 2015-04-03 13:51:16 CEST 
Validating. Advisory uploaded

Please push to 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA4-32-OK MGA4-64-OK => has_procedure advisory MGA4-32-OK MGA4-64-OK
CC: (none) => sysadmin-bugs

Comment 8 Mageia Robot 2015-04-03 15:12:11 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0130.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED