A possible DoS issue was fixed in MongoDB 2.3.2 a year ago. It now has a CVE: http://openwall.com/lists/oss-security/2014/01/08/9 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-6619 Reproducible: Steps to Reproduce:
Status: NEW => ASSIGNEDCC: (none) => makowski.mageiaCVE: (none) => CVE-2012-6619Assignee: bugsquad => makowski.mageia
After investigation, full upstream patch don't really apply to 2.2 series but a simple change could be to enable objcheck in /etc/mongod.conf or to add --objcheck in /usr/lib/systemd/system/mongod.service to have : ExecStart=/usr/bin/mongod $OPTIONS --objcheck --pidfilepath /var/run/mongo/mongo.pid run ref : https://bugzilla.redhat.com/show_bug.cgi?id=1049748#c5
Suggest Advisory: ======================== Updated mongodb package fixes security vulnerability: A possible DoS issue was discovered (CVE-2012-6619). --objcheck command line switch is now enabled by default in mongod.service References: http://openwall.com/lists/oss-security/2014/01/08/9 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-6619 ======================== Updated packages in core/updates_testing: ======================== mongodb-2.2.2-3.1.mga3 mongodb-server-2.2.2-3.1.mga3 from SRPMS: mongodb-2.2.2-3.1.mga3.src.rpm
Assignee: makowski.mageia => qa-bugs
Testing procedure: follow part of http://docs.mongodb.org/manual/tutorial/getting-started/ to see that basic functionality works.
CC: (none) => stormiWhiteboard: (none) => has_procedure
Testing complete using procedure at comment #3. Mga3 32..
Whiteboard: has_procedure => has_procedure MGA3-32-OK
Test procedure to see if the security issue is solved: install mongodb and mongodb-server check if mongod is running (start it if need) After starting the mongo shell, try to insert a bad object like said On page 26 of: http://magazine.hackinthebox.org/issues/HITB-Ezine-Issue-010.pdf db.dropme.insert({"\x16\x00\x00\x00\x05hello\x00\x010\x00\ x00\x00world\x00\x00" : "world"} it should be rejected, because now --objcheck command line switch is now enabled in mongod.service
Testing mga3 64
Unable to start the service here mga3 64. Tried with current and testing versions. Seems to want over 3Gb for it's journal and fails to start with not enough free space. Am I doing something wrong? 3.3Gb for a new empty recovery journal seems odd. I've completely removed from /var/lib, /var/log and /run and tried again to confirm but this is the result. from /var/log/mongo/mongod.log Tue Feb 11 11:27:21 [initandlisten] db version v2.2.2, pdfile version 4.5 Tue Feb 11 11:27:21 [initandlisten] git version: nogitversion Tue Feb 11 11:27:21 [initandlisten] build info: Linux ecosse.mageia.org 3.4.69-ser ver-1.mga2 #1 SMP Sat Nov 16 17:44:27 UTC 2013 x86_64 BOOST_LIB_VERSION=1_49 Tue Feb 11 11:27:21 [initandlisten] options: { command: [ "run" ], config: "/etc/m ongod.conf", dbpath: "/var/lib/mongo", fork: "true", logappend: "true", logpath: " /var/log/mongo/mongod.log", objcheck: true, pidfilepath: "/var/run/mongo/mongo.pid" } Tue Feb 11 11:27:21 [initandlisten] journal dir=/var/lib/mongo/journal Tue Feb 11 11:27:21 [initandlisten] recover : no journal files present, no recovery needed Tue Feb 11 11:27:21 [initandlisten] Tue Feb 11 11:27:21 [initandlisten] ERROR: Insufficient free space for journal files Tue Feb 11 11:27:21 [initandlisten] Please make at least 3379MB available in /var/lib/mongo/journal or use --smallfiles Tue Feb 11 11:27:21 [initandlisten] Tue Feb 11 11:27:21 [initandlisten] exception in initAndListen: 15926 Insufficient free space for journals, terminating Tue Feb 11 11:27:21 dbexit: ...etc # df -h /dev/sdb1 Filesystem Size Used Avail Use% Mounted on /dev/sdb1 18G 15G 1.8G 90% / # ll /var/lib/mongo total 4 drwxr-xr-x 2 mongod mongod 4096 Feb 11 11:33 journal/ -rwxr-xr-x 1 mongod mongod 0 Feb 11 11:33 mongod.lock* # ll /var/lib/mongo/journal total 0 It also seems to leave a lock file when it fails.
Whiteboard: has_procedure MGA3-32-OK => has_procedure feedback MGA3-32-OK
A bit of googling later, this is due to pre-allocation of space for the journal, which can be avoided by using --smallfiles by default. Smallfiles seems like a sensible default to use IMHO. Adding --smallfiles to the OPTIONS in /etc/sysconfig/mongod allows it to start. I'll await feedback because this will currently be broken for systems with less than 3.3Gb spare space in /var/lib.
I think we should stay with the default, and the error message is explicit enough, so I would be for validating it once 64 bits testing is comlete.
Advisory uploaded.
Whiteboard: has_procedure feedback MGA3-32-OK => has_procedure feedback MGA3-32-OK advisory
Seems that for test according to Mongodb documentation "you can disable preallocation with the noprealloc run time option. However noprealloc is not intended for use in production environments: only use noprealloc for testing and with small data sets where you frequently drop databases." http://docs.mongodb.org/manual/faq/storage/#faq-disk-size and http://docs.mongodb.org/manual/reference/configuration-options/#noprealloc but --smallfiles is good also
(In reply to claire robinson from comment #8) > I'll await feedback because this will currently be broken for systems with > less than 3.3Gb spare space in /var/lib. sorry, but let's stay wit upstream default If you have small disk space, and more generally for tests, you can use smallfiles or noprealloc see comment #11
Whiteboard: has_procedure feedback MGA3-32-OK advisory => has_procedure MGA3-32-OK advisory
Preparing... ############################################### 1/2: mongodb ############################################### 2/2: mongodb-server ############################################### warning: %post(mongodb-server-2.2.2-3.1.mga3.x86_64) scriptlet failed, exit status 1 ERROR: 'script' failed for mongodb-server-2.2.2-3.1.mga3.x86_64: 1/2: removing mongodb-server-2.2.2-3.mga3.x86_64 ############################################### 2/2: removing mongodb-2.2.2-3.mga3.x86_64 ###############################################
Whiteboard: has_procedure MGA3-32-OK advisory => has_procedure MGA3-32-OK advisory feedback
I think it fails due to it clobbering changes made to /etc/sysconfig/mongod # cat /etc/sysconfig/mongod # TODO: add relevant configuration stuff here. OPTIONS="-f /etc/mongod.conf"
The CVE is confirmed closed but we shouldn't clobber user configuration, particularly in this case. $ mongo MongoDB shell version: 2.2.2 connecting to: test > > db.dropme.insert({"\x16\x00\x00\x00\x05hello\x00\x010\x00\ ... x00\x00world\x00\x00" : "world"}) Client Error: bad object in message
The error from Comment 13 has nothing to do with the sysconfig file, this is what it's running there: %post server # (cg) Make sure the pid folder exists on install mkdir -p %{_var}/run/mongo chown mongod.mongod %{_var}/run/mongo %_post_service mongod So this yet another harmless error from _post_service, as we've seen in several packages. You can safely ignore that. It'd be nice if we could silence that for good in rpm-helper. However, the first two commands in that script are patently incorrect, since /var/run is a tmpfs now. This is the case in both Mageia 3 and Mageia 4/Cauldron. It should be shipping a tmpfiles config for that directory.
The clobbering of /etc/sysconfig/mongod causes the server to fail to restart though.
I see. This isn't because of a scriptlet, it's just because the sysconfig file isn't marked as %config(noreplace) as it should be, in the %files server section. This also needs to be corrected in Mageia 4/Cauldron.
(In reply to David Walser from comment #18) > I see. This isn't because of a scriptlet, it's just because the sysconfig > file isn't marked as %config(noreplace) as it should be, in the %files > server section. This also needs to be corrected in Mageia 4/Cauldron. I guess I can do it but for Mageia 4 it would need another bug registered for update I guess
hum : %config(noreplace) %{_sysconfdir}/mongod.conf %{_sysconfdir}/sysconfig/mongod It seems that changes and user config have to be done in %{_sysconfdir}/mongod.conf not in %{_sysconfdir}/sysconfig/mongod since as you mention in comment #14 we have : /etc/sysconfig/mongod # TODO: add relevant configuration stuff here. OPTIONS="-f /etc/mongod.conf" so this one is here just to load /etc/mongod.conf no ?
Whiteboard: has_procedure MGA3-32-OK advisory feedback => has_procedure MGA3-32-OK advisory
The sysconfig file allows you to change the configuration file that it uses, along with allowing you add additional command line options without having to edit the systemd unit file. The feedback marker should stay until both the %config(noreplace) and tmpfiles issue (see Comment 16) are fixed.
please test : Updated packages in core/updates_testing: ======================== mongodb-2.2.2-3.2.mga3 mongodb-server-2.2.2-3.2.mga3 from SRPMS: mongodb-2.2.2-3.2.mga3.src.rpm note that when this will be validated I will make changes to mga4 and cauldron to fix there also the %config(noreplace) and tmpfiles issues the same way I did in mga3
I've just looked at the diff, but it looks good. Thanks Philippe. http://svnweb.mageia.org/packages/updates/3/mongodb/current/SPECS/mongodb.spec?r1=587736&r2=591470
Whiteboard: has_procedure MGA3-32-OK advisory => has_procedure advisory
Testing complete mga3 64 The /etc/sysconfig/mongod file is now preserved when the update in installed. Tested the CVE as comment 15 and also the first part of the procedure from comment 3. Service starts and stops ok. Bringing the advisory into one spot. I'll update it on svn so it's ready to push. Advisory: ======================== Updated mongodb package fixes security vulnerability: A possible DoS issue was discovered (CVE-2012-6619). --objcheck command line switch is now enabled by default in mongod.service References: http://openwall.com/lists/oss-security/2014/01/08/9 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-6619 ======================== Updated packages in core/updates_testing: ======================== mongodb-2.2.2-3.2.mga3 mongodb-server-2.2.2-3.2.mga3 from SRPMS: mongodb-2.2.2-3.2.mga3.src.rpm
Whiteboard: has_procedure advisory => has_procedure advisory mga3-64-ok
Testing complete mga3 32. Please don't forget to make these changes in Cauldron too Philippe. Validating Could sysadmin please push to 3 updates Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure advisory mga3-64-ok => has_procedure advisory mga3-64-ok mga3-32-okCC: (none) => sysadmin-bugs
(In reply to claire robinson from comment #25) > Please don't forget to make these changes in Cauldron too Philippe. done : http://svnweb.mageia.org/packages?view=revision&revision=591868 and in mga4 http://svnweb.mageia.org/packages?view=revision&revision=591866
Update pushed: http://advisories.mageia.org/MGASA-2014-0083.html
Status: ASSIGNED => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/586939/