Bug 12251 - mongodb new security issue CVE-2012-6619
Summary: mongodb new security issue CVE-2012-6619
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 3
Hardware: i586 Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/586939/
Whiteboard: has_procedure advisory mga3-64-ok mga...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-01-08 22:47 CET by David Walser
Modified: 2014-02-18 19:55 CET (History)
4 users (show)

See Also:
Source RPM: mongodb-2.2.2-3.mga3.src.rpm
CVE: CVE-2012-6619
Status comment:


Attachments

Description David Walser 2014-01-08 22:47:09 CET
A possible DoS issue was fixed in MongoDB 2.3.2 a year ago.  It now has a CVE:
http://openwall.com/lists/oss-security/2014/01/08/9
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-6619

Reproducible: 

Steps to Reproduce:
Philippe Makowski 2014-02-09 10:34:18 CET

Status: NEW => ASSIGNED
CC: (none) => makowski.mageia
CVE: (none) => CVE-2012-6619
Assignee: bugsquad => makowski.mageia

Comment 1 Philippe Makowski 2014-02-09 19:33:25 CET
After investigation, full upstream patch don't really apply to 2.2 series
but a simple change could be to enable objcheck in /etc/mongod.conf

or to add --objcheck in /usr/lib/systemd/system/mongod.service 
to have :
ExecStart=/usr/bin/mongod $OPTIONS --objcheck --pidfilepath /var/run/mongo/mongo.pid run

ref :
https://bugzilla.redhat.com/show_bug.cgi?id=1049748#c5
Comment 2 Philippe Makowski 2014-02-09 21:28:13 CET
Suggest Advisory:
========================

Updated mongodb package fixes security vulnerability:

A possible DoS issue was discovered (CVE-2012-6619).
--objcheck command line switch is now enabled by default in 
mongod.service

References:
http://openwall.com/lists/oss-security/2014/01/08/9
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-6619
========================

Updated packages in core/updates_testing:
========================
mongodb-2.2.2-3.1.mga3
mongodb-server-2.2.2-3.1.mga3

from SRPMS:
mongodb-2.2.2-3.1.mga3.src.rpm

Assignee: makowski.mageia => qa-bugs

Comment 3 Samuel Verschelde 2014-02-10 16:31:08 CET
Testing procedure: follow part of http://docs.mongodb.org/manual/tutorial/getting-started/ to see that basic functionality works.

CC: (none) => stormi
Whiteboard: (none) => has_procedure

Comment 4 Samuel Verschelde 2014-02-11 09:52:44 CET
Testing complete using procedure at comment #3. Mga3 32..

Whiteboard: has_procedure => has_procedure MGA3-32-OK

Comment 5 Philippe Makowski 2014-02-11 09:53:47 CET
Test procedure to see if the security issue is solved:
install mongodb and mongodb-server
check if mongod is running (start it if need)
After starting the mongo shell, try to insert a bad object like said On page 26 of: http://magazine.hackinthebox.org/issues/HITB-Ezine-Issue-010.pdf

db.dropme.insert({"\x16\x00\x00\x00\x05hello\x00\x010\x00\
x00\x00world\x00\x00" : "world"}

it should be rejected, because now --objcheck command line switch is now enabled  in mongod.service
Comment 6 claire robinson 2014-02-11 12:19:23 CET
Testing mga3 64
Comment 7 claire robinson 2014-02-11 13:03:33 CET
Unable to start the service here mga3 64. Tried with current and testing versions. Seems to want over 3Gb for it's journal and fails to start with not enough free space. 

Am I doing something wrong? 3.3Gb for a new empty recovery journal seems odd. I've completely removed from /var/lib, /var/log and /run and tried again to confirm but this is the result.

from /var/log/mongo/mongod.log

Tue Feb 11 11:27:21 [initandlisten] db version v2.2.2, pdfile version 4.5
Tue Feb 11 11:27:21 [initandlisten] git version: nogitversion
Tue Feb 11 11:27:21 [initandlisten] build info: Linux ecosse.mageia.org 3.4.69-ser
ver-1.mga2 #1 SMP Sat Nov 16 17:44:27 UTC 2013 x86_64 BOOST_LIB_VERSION=1_49
Tue Feb 11 11:27:21 [initandlisten] options: { command: [ "run" ], config: "/etc/m
ongod.conf", dbpath: "/var/lib/mongo", fork: "true", logappend: "true", logpath: "
/var/log/mongo/mongod.log", objcheck: true, pidfilepath: "/var/run/mongo/mongo.pid" }
Tue Feb 11 11:27:21 [initandlisten] journal dir=/var/lib/mongo/journal
Tue Feb 11 11:27:21 [initandlisten] recover : no journal files present, no recovery needed
Tue Feb 11 11:27:21 [initandlisten] 
Tue Feb 11 11:27:21 [initandlisten] ERROR: Insufficient free space for journal files
Tue Feb 11 11:27:21 [initandlisten] Please make at least 3379MB available in /var/lib/mongo/journal or use --smallfiles
Tue Feb 11 11:27:21 [initandlisten] 
Tue Feb 11 11:27:21 [initandlisten] exception in initAndListen: 15926 Insufficient free space for journals, terminating
Tue Feb 11 11:27:21 dbexit: 
...etc

# df -h /dev/sdb1
Filesystem      Size  Used Avail Use% Mounted on
/dev/sdb1        18G   15G  1.8G  90% /

# ll /var/lib/mongo
total 4
drwxr-xr-x 2 mongod mongod 4096 Feb 11 11:33 journal/
-rwxr-xr-x 1 mongod mongod    0 Feb 11 11:33 mongod.lock*

# ll /var/lib/mongo/journal
total 0

It also seems to leave a lock file when it fails.

Whiteboard: has_procedure MGA3-32-OK => has_procedure feedback MGA3-32-OK

Comment 8 claire robinson 2014-02-11 13:18:54 CET
A bit of googling later, this is due to pre-allocation of space for the journal, which can be avoided by using --smallfiles by default. Smallfiles seems like a sensible default to use IMHO. 

Adding --smallfiles to the OPTIONS in /etc/sysconfig/mongod allows it to start.

I'll await feedback because this will currently be broken for systems with less than 3.3Gb spare space in /var/lib.
Comment 9 Samuel Verschelde 2014-02-11 13:32:26 CET
I think we should stay with the default, and the error message is explicit enough, so I would be for validating it once 64 bits testing is comlete.
Comment 10 Samuel Verschelde 2014-02-12 11:03:02 CET
Advisory uploaded.

Whiteboard: has_procedure feedback MGA3-32-OK => has_procedure feedback MGA3-32-OK advisory

Comment 11 Philippe Makowski 2014-02-12 11:34:24 CET
Seems that for test according to Mongodb documentation "you can disable preallocation with the noprealloc run time option. However noprealloc is not intended for use in production environments: only use noprealloc for testing and with small data sets where you frequently drop databases."
http://docs.mongodb.org/manual/faq/storage/#faq-disk-size
and
http://docs.mongodb.org/manual/reference/configuration-options/#noprealloc

but --smallfiles is good also
Comment 12 Philippe Makowski 2014-02-12 11:47:35 CET
(In reply to claire robinson from comment #8)
> I'll await feedback because this will currently be broken for systems with
> less than 3.3Gb spare space in /var/lib.

sorry, but let's stay wit upstream default

If you have small disk space, and more generally for tests, you can use smallfiles or noprealloc
see comment #11

Whiteboard: has_procedure feedback MGA3-32-OK advisory => has_procedure MGA3-32-OK advisory

Comment 13 claire robinson 2014-02-12 16:40:30 CET
Preparing...                     ###############################################
      1/2: mongodb               ###############################################
      2/2: mongodb-server        ###############################################
warning: %post(mongodb-server-2.2.2-3.1.mga3.x86_64) scriptlet failed, exit status 1
ERROR: 'script' failed for mongodb-server-2.2.2-3.1.mga3.x86_64: 
      1/2: removing mongodb-server-2.2.2-3.mga3.x86_64
                                 ###############################################
      2/2: removing mongodb-2.2.2-3.mga3.x86_64
                                 ###############################################

Whiteboard: has_procedure MGA3-32-OK advisory => has_procedure MGA3-32-OK advisory feedback

Comment 14 claire robinson 2014-02-12 16:52:44 CET
I think it fails due to it clobbering changes made to /etc/sysconfig/mongod

# cat /etc/sysconfig/mongod 
# TODO: add relevant configuration stuff here.
OPTIONS="-f /etc/mongod.conf"
Comment 15 claire robinson 2014-02-12 17:01:28 CET
The CVE is confirmed closed but we shouldn't clobber user configuration, particularly in this case.

$ mongo
MongoDB shell version: 2.2.2
connecting to: test
> 
> db.dropme.insert({"\x16\x00\x00\x00\x05hello\x00\x010\x00\
... x00\x00world\x00\x00" : "world"})
Client Error: bad object in message
Comment 16 David Walser 2014-02-12 17:06:33 CET
The error from Comment 13 has nothing to do with the sysconfig file, this is what it's running there:
%post server
# (cg) Make sure the pid folder exists on install
mkdir -p %{_var}/run/mongo
chown mongod.mongod %{_var}/run/mongo
%_post_service mongod

So this yet another harmless error from _post_service, as we've seen in several packages.  You can safely ignore that.  It'd be nice if we could silence that for good in rpm-helper.

However, the first two commands in that script are patently incorrect, since /var/run is a tmpfs now.  This is the case in both Mageia 3 and Mageia 4/Cauldron.  It should be shipping a tmpfiles config for that directory.
Comment 17 claire robinson 2014-02-12 17:31:41 CET
The clobbering of /etc/sysconfig/mongod causes the server to fail to restart though.
Comment 18 David Walser 2014-02-12 17:45:38 CET
I see.  This isn't because of a scriptlet, it's just because the sysconfig file isn't marked as %config(noreplace) as it should be, in the %files server section.  This also needs to be corrected in Mageia 4/Cauldron.
Comment 19 Philippe Makowski 2014-02-12 23:58:14 CET
(In reply to David Walser from comment #18)
> I see.  This isn't because of a scriptlet, it's just because the sysconfig
> file isn't marked as %config(noreplace) as it should be, in the %files
> server section.  This also needs to be corrected in Mageia 4/Cauldron.

I guess I can do it

but for Mageia 4 it would need another bug registered for update I guess
Comment 20 Philippe Makowski 2014-02-13 00:23:04 CET
hum :
%config(noreplace) %{_sysconfdir}/mongod.conf
%{_sysconfdir}/sysconfig/mongod


It seems that changes and user config have to be done in %{_sysconfdir}/mongod.conf not in %{_sysconfdir}/sysconfig/mongod

since as you mention in comment #14 we have :
/etc/sysconfig/mongod 
# TODO: add relevant configuration stuff here.
OPTIONS="-f /etc/mongod.conf"

so this one is here just to load /etc/mongod.conf no ?

Whiteboard: has_procedure MGA3-32-OK advisory feedback => has_procedure MGA3-32-OK advisory

Comment 21 David Walser 2014-02-13 00:32:26 CET
The sysconfig file allows you to change the configuration file that it uses, along with allowing you add additional command line options without having to edit the systemd unit file.

The feedback marker should stay until both the %config(noreplace) and tmpfiles issue (see Comment 16) are fixed.

Whiteboard: has_procedure MGA3-32-OK advisory => has_procedure MGA3-32-OK advisory feedback

Comment 22 Philippe Makowski 2014-02-15 00:21:11 CET
please test :

Updated packages in core/updates_testing:
========================
mongodb-2.2.2-3.2.mga3
mongodb-server-2.2.2-3.2.mga3

from SRPMS:
mongodb-2.2.2-3.2.mga3.src.rpm

note that when this will be validated I will make changes to mga4 and cauldron to fix there also the %config(noreplace) and tmpfiles issues the same way I did in mga3

Whiteboard: has_procedure MGA3-32-OK advisory feedback => has_procedure MGA3-32-OK advisory

Comment 23 David Walser 2014-02-15 04:35:22 CET
I've just looked at the diff, but it looks good.  Thanks Philippe.

http://svnweb.mageia.org/packages/updates/3/mongodb/current/SPECS/mongodb.spec?r1=587736&r2=591470
Samuel Verschelde 2014-02-15 13:22:42 CET

Whiteboard: has_procedure MGA3-32-OK advisory => has_procedure advisory

Comment 24 claire robinson 2014-02-17 18:13:24 CET
Testing complete mga3 64

The /etc/sysconfig/mongod file is now preserved when the update in installed.

Tested the CVE as comment 15 and also the first part of the procedure from comment 3. Service starts and stops ok.

Bringing the advisory into one spot. I'll update it on svn so it's ready to push.

Advisory:
========================

Updated mongodb package fixes security vulnerability:

A possible DoS issue was discovered (CVE-2012-6619).
--objcheck command line switch is now enabled by default in 
mongod.service

References:
http://openwall.com/lists/oss-security/2014/01/08/9
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-6619
========================

Updated packages in core/updates_testing:
========================
mongodb-2.2.2-3.2.mga3
mongodb-server-2.2.2-3.2.mga3

from SRPMS:
mongodb-2.2.2-3.2.mga3.src.rpm

Whiteboard: has_procedure advisory => has_procedure advisory mga3-64-ok

Comment 25 claire robinson 2014-02-17 18:24:05 CET
Testing complete mga3 32. 

Please don't forget to make these changes in Cauldron too Philippe.

Validating

Could sysadmin please push to 3 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure advisory mga3-64-ok => has_procedure advisory mga3-64-ok mga3-32-ok
CC: (none) => sysadmin-bugs

Comment 26 Philippe Makowski 2014-02-17 18:27:25 CET
(In reply to claire robinson from comment #25)
> Please don't forget to make these changes in Cauldron too Philippe.
done :
http://svnweb.mageia.org/packages?view=revision&revision=591868
and in mga4
http://svnweb.mageia.org/packages?view=revision&revision=591866
Comment 27 Thomas Backlund 2014-02-17 19:21:16 CET
Update pushed:
http://advisories.mageia.org/MGASA-2014-0083.html

Status: ASSIGNED => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

David Walser 2014-02-18 19:55:20 CET

URL: (none) => http://lwn.net/Vulnerabilities/586939/


Note You need to log in before you can comment on or make changes to this bug.