-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 03 May 2025 16:44:24 -0400
Source: libbson-xs-perl
Architecture: source
Version: 0.8.4-1+deb11u1
Distribution: bullseye-security
Urgency: high
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Changed-By: Roberto C. Sánchez <roberto@debian.org>
Changes:
libbson-xs-perl (0.8.4-1+deb11u1) bullseye-security; urgency=high
.
* Non-maintainer upload by the LTS Team.
* Fix security issues in embedded copy of libbson:
+ CVE-2017-14227: the bson_iter_codewscope function in bson-iter.c
miscalculates a bson_utf8_validate length argument, which allows remote
attackers to cause a denial of service (heap-based buffer over-read in the
bson_utf8_validate function in bson-utf8.c), as demonstrated by
bson-to-json.c.
+ CVE-2018-16790: _bson_iter_next_internal has a heap-based buffer over-read
via a crafted bson buffer.
+ CVE-2023-0437: When calling bson_utf8_validate on some inputs a loop
with an exit condition that cannot be reached may occur, i.e. an infinite
loop.
+ CVE-2024-6381: The bson_strfreev function in the MongoDB C driver
library may be susceptible to an integer overflow where the function will
try to free memory at a negative offset. This may result in memory
corruption.
+ CVE-2024-6383: The bson_string_append function in MongoDB C Driver may
be vulnerable to a buffer overflow where the function might attempt to
allocate too small of buffer and may lead to memory corruption of
neighbouring heap memory.
+ CVE-2025-0755: The various bson_append functions in the MongoDB C
driver library may be susceptible to buffer overflow when performing
operations that could result in a final BSON document which exceeds the
maximum allowable size (INT32_MAX), resulting in a segmentation fault and
possible application crash.
Checksums-Sha1:
1cd1b238d49e5a3b89bffbf9e3b3bb65c1cfcf95 2381 libbson-xs-perl_0.8.4-1+deb11u1.dsc
b968f3ae8225c6292f63a79fcb3230524b73b10f 231873 libbson-xs-perl_0.8.4.orig.tar.gz
a3ad41118a6cefe693395f26c69064c607acb8e4 8004 libbson-xs-perl_0.8.4-1+deb11u1.debian.tar.xz
fe09de9bb7c4dafc937379e57a06d15da19abac4 7403 libbson-xs-perl_0.8.4-1+deb11u1_amd64.buildinfo
Checksums-Sha256:
eb4e72f6f0c5db7a8ecac9848cb46c9dbf7e28429f2ebdd5da3cea0793adfcb3 2381 libbson-xs-perl_0.8.4-1+deb11u1.dsc
28f7d338fd78b6f9c9a6080be9de3f5cb23d888b96ebf6fcbface9f2966aebf9 231873 libbson-xs-perl_0.8.4.orig.tar.gz
f42009dac1ed2971ce97b0efa12edc5dbc2829232d99c4f27848da9d03238a13 8004 libbson-xs-perl_0.8.4-1+deb11u1.debian.tar.xz
712590b466d094c677fd3c4f19aa6cade81fc036cfd8728c26717e68c3840c8b 7403 libbson-xs-perl_0.8.4-1+deb11u1_amd64.buildinfo
Files:
cdf51d1381c44680064ba9bb52f76c97 2381 perl optional libbson-xs-perl_0.8.4-1+deb11u1.dsc
596a9b2b1250a7a6452125cb1be0fbc0 231873 perl optional libbson-xs-perl_0.8.4.orig.tar.gz
ec25d1b239bee81d5473592e56e44eb4 8004 perl optional libbson-xs-perl_0.8.4-1+deb11u1.debian.tar.xz
45685af5da923c5156dbd81d8a24c76a 7403 perl optional libbson-xs-perl_0.8.4-1+deb11u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEIYZ1DR4ae5UL01q7ldFmTdL1kUIFAmgdUj4ACgkQldFmTdL1
kULCQxAAqtSZHJ+RVhYdxH1h3nvFXTbLawchPP6O/QX/04Zgk2Le6qlYv090RvkQ
HtRIJ8XqSugQGJyNB9IyoE393ECZFYewZ9qGhixd/nq7KN2cZVDHIQmCoFVChnMA
4ThIVWrRTJ1NT7cbJ/vNfNBmeIQT6BPuQqgOEaP1oEbDH7dnj0ZAhH5TqZFuyv55
H498kCe+MgUS0KZnRc0aHQPd2ADIedq97DGzeeb49QVqSA0nHl8bnX2icpgdwroT
NBT2NKGVZtP6Zlr8pviAZza0M83HEtCppoeLk0VVn7sFF/JwyWHNmyaIvPu6jOxK
bV1YTAVVd14C2fAcXjM32NzqpPlS6rJYH51l79XCpHkC8m0r6rGQA+rd/eSK8UfF
2iZ3T4jEYjVGErrpmMo+iZP0SWvMx5D2BGaPf6P3GEyqPOlneISEMYWI5Q4psJIK
oXjeC5VIBKV/ZeQpJbxbGLQQjvIZjnxWFV/l49nfI+3BVbmdq7TW6Y85TlhnCWfl
fpNvKz0nlbnRY7z4KMv/EL4JNfUKmPvd7FidYYNLxnP5x0l0YUTeSKzU8q/UCu+R
GShW257X494+3efVIdAhibxKn6CXTWgqEzCWBG3pDywG732a6y38Icc9v+zBsIJW
pyPD5D1LuE6MNjdz/VGExXNMp6ZhMBnU+MBunUr0Nvq3r+njFRU=
=AgBa
-----END PGP SIGNATURE-----
