Bug 10496 - python-pymongo new security issue CVE-2013-2132
: python-pymongo new security issue CVE-2013-2132
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/553815/
: has_procedure mga3-64-ok mga3-32-ok
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-06-11 21:11 CEST by David Walser
Modified: 2014-05-08 18:04 CEST (History)
2 users (show)

See Also:
Source RPM: python-pymongo-2.5-1.mga3.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2013-06-11 21:11:34 CEST
Debian has issued an advisory on June 10:
http://www.debian.org/security/2013/dsa-2705

It looks like the issue is fixed upstream in 2.5.2.

Mageia 3 is also affected.

Reproducible: 

Steps to Reproduce:
Comment 1 Guillaume Rousse 2013-06-27 13:09:48 CEST
Fixed in cauldron.
Comment 2 David Walser 2013-06-27 14:21:45 CEST
Indeed, I missed that.  Fixed in python-pymongo-2.5.2-1.mga4 in Cauldron.
Comment 3 David Walser 2013-06-28 00:49:35 CEST
I applied the patch linked at the bottom of this page:
https://security-tracker.debian.org/tracker/CVE-2013-2132

It's actually the first of 4 commits mentioned on the upstream bug:
https://jira.mongodb.org/browse/PYTHON-532

So hopefully the one patch is sufficient.  We can update to 2.5.2 if anyone thinks that's more appropriate.

Note to QA: reproducers in the second comment on the upstream bug.

Advisory:
========================

Updated python-pymongo packages fix security vulnerability:

PyMongo before 2.5.2 is prone to a denial-of-service vulnerability. An
attacker can remotely trigger a NULL pointer dereference causing MongoDB
to crash (CVE-2013-2132).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2132
http://www.debian.org/security/2013/dsa-2705
========================

Updated packages in core/updates_testing:
========================
python-pymongo-2.5-1.1.mga3
python-pymongo-gridfs-2.5-1.1.mga3
python-bson-2.5-1.1.mga3

from python-pymongo-2.5-1.1.mga3.src.rpm
Comment 4 claire robinson 2013-07-02 15:27:05 CEST
Testing complete mga3 64

# urpmi mongodb mongodb-server
# service mongod start

$ mongo
MongoDB shell version: 2.2.2
connecting to: test
Welcome to the MongoDB shell.
For interactive help, type "help".
For more comprehensive documentation, see
        http://docs.mongodb.org/
Questions? Try the support group
        http://groups.google.com/group/mongodb-user
> db.python532.insert({x : {"$ref" : "whatever"} });

Before
------
$ idle
Python 2.7.3 (default, Jan 13 2013, 20:09:12) 
[GCC 4.7.2] on linux2
Type "copyright", "credits" or "license()" for more information.
>>> import pymongo
>>> pymongo.MongoClient().test.python532.find_one()

>>> ================================ RESTART ================================
>>> 


After
-----
$ idle
Python 2.7.3 (default, Jan 13 2013, 20:09:12) 
[GCC 4.7.2] on linux2
Type "copyright", "credits" or "license()" for more information.
>>> import pymongo
>>> pymongo.MongoClient().test.python532.find_one()
{u'x': DBRef(u'whatever', None), u'_id': ObjectId('51d2d0e6046554d4cf9caf66')}
>>>
Comment 5 claire robinson 2013-07-02 15:33:24 CEST
Testing complete mga3 32

Using python interactively..

Before
------
$ python
Python 2.7.3 (default, Jan 13 2013, 20:10:21) 
[GCC 4.7.2] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import pymongo
>>> pymongo.MongoClient().test.python532.find_one()
Segmentation fault

After
-----
$ python
Python 2.7.3 (default, Jan 13 2013, 20:10:21) 
[GCC 4.7.2] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import pymongo
>>> pymongo.MongoClient().test.python532.find_one()
{u'x': DBRef(u'whatever', None), u'_id': ObjectId('51d2d5b890a3ef1f5962359b')}
>>>
Comment 6 claire robinson 2013-07-02 15:38:56 CEST
Bug 10679 created for a mongodb bug found while removing mongodb-server
Comment 7 claire robinson 2013-07-02 15:46:47 CEST
Validating. Advisory from comment 3 uploaded.

Could sysadmin please push from 3 core/updates_testing to core/updates

Thanks
Comment 8 Nicolas Vigier 2013-07-06 16:30:01 CEST
http://advisories.mageia.org/MGASA-2013-0201.html

Note You need to log in before you can comment on or make changes to this bug.