Hi Thomas, thanks for the debdiff. I've actually already prepared patch, sorry for not being more explicit.
I am actually rebuilding the package right now. As it has to be build with gcc-4.7 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=701324 Anyway, thank you for effort, Antonin * Thomas Goirand <z...@debian.org> [2013-07-18 16:05] wrote: > Hi, > > Here's the proposed debdiff for patching current version in Sid. > > Thomas Goirand (zigo) > diff -Nru mongodb-2.4.3/debian/changelog mongodb-2.4.3/debian/changelog > --- mongodb-2.4.3/debian/changelog 2013-04-24 20:18:05.000000000 +0000 > +++ mongodb-2.4.3/debian/changelog 2013-07-18 13:56:15.000000000 +0000 > @@ -1,3 +1,11 @@ > +mongodb (1:2.4.3-1.1) unstable; urgency=high > + > + * Non-maintainer upload. > + * CVE-2013-4650 - fix allows remote authenticated users to obtain internal > + system privileges (Closes: #715007). > + > + -- Thomas Goirand <z...@debian.org> Thu, 18 Jul 2013 13:55:23 +0000 > + > mongodb (1:2.4.3-1) unstable; urgency=low > > [ Jeff Epler ] > diff -Nru > mongodb-2.4.3/debian/patches/0008-CVE-2013-4650_do_not_lock_when_looking_up_for_system_user.patch > > mongodb-2.4.3/debian/patches/0008-CVE-2013-4650_do_not_lock_when_looking_up_for_system_user.patch > --- > mongodb-2.4.3/debian/patches/0008-CVE-2013-4650_do_not_lock_when_looking_up_for_system_user.patch > 1970-01-01 00:00:00.000000000 +0000 > +++ > mongodb-2.4.3/debian/patches/0008-CVE-2013-4650_do_not_lock_when_looking_up_for_system_user.patch > 2013-07-18 13:55:04.000000000 +0000 > @@ -0,0 +1,50 @@ > +Description: CVE-2013-4650 - fix allows remote authenticated users to obtain > internal system privileges > + MongoDB 2.4.x before 2.4.5 and 2.5.x before 2.5.1 allows remote > + authenticated users to obtain internal system privileges by leveraging a > + username of __system in an arbitrary database. > + . > + Do not needlessly lock when looking up privileges for the __system@local > user > +Author: Andy Schwerin > +Bug-Debian: http://bugs.debian.org/715007 > +Origin: > https://github.com/mongodb/mongo/commit/23344f8b7506df694f66999693ee3c00dfd6afae > +Last-Update: 2013-07-18 > + > +--- mongodb-2.4.3.orig/src/mongo/db/auth/authorization_manager.cpp > ++++ mongodb-2.4.3/src/mongo/db/auth/authorization_manager.cpp > +@@ -394,9 +394,21 @@ namespace { > + _authenticatedPrincipals.add(principal); > + if (!principal->isImplicitPrivilegeAcquisitionEnabled()) > + return; > ++ > ++ const std::string dbname = principal->getName().getDB().toString(); > ++ if (dbname == StringData("local", StringData::LiteralTag()) && > ++ principal->getName().getUser() == internalSecurity.user) { > ++ > ++ // Grant full access to internal user > ++ ActionSet allActions; > ++ allActions.addAllActions(); > ++ acquirePrivilege(Privilege(PrivilegeSet::WILDCARD_RESOURCE, > allActions), > ++ principal->getName()); > ++ return; > ++ } > ++ > + _acquirePrivilegesForPrincipalFromDatabase(ADMIN_DBNAME, > principal->getName()); > + principal->markDatabaseAsProbed(ADMIN_DBNAME); > +- const std::string dbname = principal->getName().getDB().toString(); > + _acquirePrivilegesForPrincipalFromDatabase(dbname, > principal->getName()); > + principal->markDatabaseAsProbed(dbname); > + } > +@@ -491,13 +503,6 @@ namespace { > + << principal.getDB(), > + 0); > + } > +- if (principal.getUser() == internalSecurity.user) { > +- // Grant full access to internal user > +- ActionSet allActions; > +- allActions.addAllActions(); > +- return > acquirePrivilege(Privilege(PrivilegeSet::WILDCARD_RESOURCE, allActions), > +- principal); > +- } > + return buildPrivilegeSet(dbname, principal, privilegeDocument, > &_acquiredPrivileges); > + } > + > diff -Nru mongodb-2.4.3/debian/patches/series > mongodb-2.4.3/debian/patches/series > --- mongodb-2.4.3/debian/patches/series 2013-04-24 20:18:05.000000000 > +0000 > +++ mongodb-2.4.3/debian/patches/series 2013-07-18 13:51:02.000000000 > +0000 > @@ -5,3 +5,4 @@ > 0005-kfreebsd-does-not-have-sys-prctl.h.patch > 0006-ARM-support-for-ASM-operations-in-MongoDB.patch > 0007-Fix-ARM-alignment-problems.patch > +0008-CVE-2013-4650_do_not_lock_when_looking_up_for_system_user.patch -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
