import UBI python-pymongo-3.7.0-2.module+el8.10.0+23071+07f1d18e

2025-06-03 01:35:29 +00:00 · 2025-06-03 01:35:29 +00:00 · 35fc80eaf5
commit 35fc80eaf5
parent e0ddb8f7b4
2 changed files with 39 additions and 1 deletions
--- a/SOURCES/pymongo-CVE-2024-5629.patch
+++ b/SOURCES/pymongo-CVE-2024-5629.patch
@ -0,0 +1,33 @@
+Backported upstream commit https://github.com/mongodb/mongo-python-driver/commit/56b6b6dbc267d365d97c037082369dabf37405d2
+Fixed CVE-2024-5629
+diff -ur mongo-python-driver-3.7.0/bson/_cbsonmodule.c mongo_patch/bson/_cbsonmodule.c
+--- mongo-python-driver-3.7.0/bson/_cbsonmodule.c	2018-06-26 18:08:42.000000000 +0000
+++ mongo_patch/bson/_cbsonmodule.c	2025-04-06 07:06:48.259986820 +0000
+@@ -2280,6 +2280,7 @@
+             uint32_t c_w_s_size;
+             uint32_t code_size;
+             uint32_t scope_size;
+	    uint32_t len;
+             PyObject* code;
+             PyObject* scope;
+             PyObject* code_type;
+@@ -2299,7 +2300,8 @@
+             memcpy(&code_size, buffer + *position, 4);
+             code_size = BSON_UINT32_FROM_LE(code_size);
+             /* code_w_scope length + code length + code + scope length */
+-            if (!code_size || max < code_size || max < 4 + 4 + code_size + 4) {
+	    len = 4 + 4 + code_size + 4;
+            if (!code_size || max < code_size || max < len || len < code_size) {
+                 goto invalid;
+             }
+             *position += 4;
+@@ -2322,7 +2324,8 @@
+                 goto invalid;
+             }
+             /* code length + code + scope length + scope */
+-            if ((4 + code_size + 4 + scope_size) != c_w_s_size) {
+	    len = 4 + 4 + code_size + scope_size;
+            if (scope_size < BSON_MIN_SIZE || len != c_w_s_size || len < scope_size) {
+                 Py_DECREF(code);
+                 goto invalid;
+             }
--- a/SPECS/python-pymongo.spec
+++ b/SPECS/python-pymongo.spec
@ -22,7 +22,7 @@

 Name:           python-pymongo
 Version:        3.7.0
-Release:        1%{?dist}
+Release:        2%{?dist}

 # All code is ASL 2.0 except bson/time64*.{c,h} which is MIT
 License:        ASL 2.0 and MIT
@ -37,6 +37,7 @@ ExclusiveArch:  %{mongodb_arches}
 # and CVE-2013-2099, and wasn't needed anyway since Fedora >= 22 has the needed module in the Python
 # standard library. It also adjusts imports so that they exclusively use the code from Python.
 Patch01:        0001-Use-ssl.match_hostname-from-the-Python-stdlib.patch
+Patch02:	pymongo-CVE-2024-5629.patch

 %if %{with tests}
 %ifnarch armv7hl ppc64 s390 s390x
@ -162,6 +163,7 @@ contains the python3 version of this module.
 %prep
 %setup -q -n mongo-python-driver-%{version}
 %patch01 -p1 -b .ssl
+%patch02 -p1

 # Remove the bundled ssl.match_hostname library as it was vulnerable to CVE-2013-7440
 # and CVE-2013-2099, and isn't needed anyway since Fedora >= 22 has the needed module in the Python
@ -285,6 +287,9 @@ pkill mongod


 %changelog
+* Fri Apr 04 2025 Filip Janus <fjanus@redhat.com> - 3.7.0-2
+- Backport CVE-2024-5629
+
 * Fri Oct 09 2020 Lukas Javorsky <ljavorsk@redhat.com> - 3.7.0-1
 - Rebase to 3.7.0
 - Includes new SCRAM-SHA-256 authentication