Backport CVE-2024-5629

Resolves: RHEL-40169

pymongo-CVE-2024-5629.patch

@@ -0,0 +1,33 @@
+Backported upstream commit https://github.com/mongodb/mongo-python-driver/commit/56b6b6dbc267d365d97c037082369dabf37405d2
+Fixed CVE-2024-5629
+diff -ur mongo-python-driver-3.7.0/bson/_cbsonmodule.c mongo_patch/bson/_cbsonmodule.c
+--- mongo-python-driver-3.7.0/bson/_cbsonmodule.c	2018-06-26 18:08:42.000000000 +0000
++++ mongo_patch/bson/_cbsonmodule.c	2025-04-06 07:06:48.259986820 +0000
+@@ -2280,6 +2280,7 @@
+             uint32_t c_w_s_size;
+             uint32_t code_size;
+             uint32_t scope_size;
++	    uint32_t len;
+             PyObject* code;
+             PyObject* scope;
+             PyObject* code_type;
+@@ -2299,7 +2300,8 @@
+             memcpy(&code_size, buffer + *position, 4);
+             code_size = BSON_UINT32_FROM_LE(code_size);
+             /* code_w_scope length + code length + code + scope length */
+-            if (!code_size || max < code_size || max < 4 + 4 + code_size + 4) {
++	    len = 4 + 4 + code_size + 4;
++            if (!code_size || max < code_size || max < len || len < code_size) {
+                 goto invalid;
+             }
+             *position += 4;
+@@ -2322,7 +2324,8 @@
+                 goto invalid;
+             }
+             /* code length + code + scope length + scope */
+-            if ((4 + code_size + 4 + scope_size) != c_w_s_size) {
++	    len = 4 + 4 + code_size + scope_size;
++            if (scope_size < BSON_MIN_SIZE || len != c_w_s_size || len < scope_size) {
+                 Py_DECREF(code);
+                 goto invalid;
+             }

python-pymongo.spec

@@ -22,7 +22,7 @@
 
 Name:           python-pymongo
 Version:        3.7.0
-Release:        1%{?dist}
+Release:        2%{?dist}
 
 # All code is ASL 2.0 except bson/time64*.{c,h} which is MIT
 License:        ASL 2.0 and MIT
@@ -37,6 +37,7 @@ ExclusiveArch:  %{mongodb_arches}
 # and CVE-2013-2099, and wasn't needed anyway since Fedora >= 22 has the needed module in the Python
 # standard library. It also adjusts imports so that they exclusively use the code from Python.
 Patch01:        0001-Use-ssl.match_hostname-from-the-Python-stdlib.patch
+Patch02:	pymongo-CVE-2024-5629.patch
 
 %if %{with tests}
 %ifnarch armv7hl ppc64 s390 s390x
@@ -162,6 +163,7 @@ contains the python3 version of this module.
 %prep
 %setup -q -n mongo-python-driver-%{version}
 %patch01 -p1 -b .ssl
+%patch02 -p1
 
 # Remove the bundled ssl.match_hostname library as it was vulnerable to CVE-2013-7440
 # and CVE-2013-2099, and isn't needed anyway since Fedora >= 22 has the needed module in the Python
@@ -285,6 +287,9 @@ pkill mongod
 
 
 %changelog
+* Fri Apr 04 2025 Filip Janus <fjanus@redhat.com> - 3.7.0-2
+- Backport CVE-2024-5629
+
 * Fri Oct 09 2020 Lukas Javorsky <ljavorsk@redhat.com> - 3.7.0-1
 - Rebase to 3.7.0
 - Includes new SCRAM-SHA-256 authentication