message decompressor to incorrectly allocate memory

Bug #1933520 reported by Heather Lemon
266
This bug affects 2 people
Affects Status Importance Assigned to Milestone
mongodb (Ubuntu)
Bionic
Fix Released
Medium
Heather Lemon
Focal
Fix Released
Medium
Heather Lemon

Bug Description

CVE 2019-20925: https://ubuntu.com/security/CVE-2019-20925

An unauthenticated client can trigger denial of service by issuing specially crafted wire protocol messages, which cause the message decompressor to incorrectly allocate memory. This issue affects: MongoDB Inc. MongoDB Server v4.2 versions prior to 4.2.1; v4.0 versions prior to 4.0.13; v3.6 versions prior to 3.6.15; v3.4 versions prior to 3.4.24.

commit: https://github.com/mongodb/mongo/commit/c1a956e084d39e6da75cd347e63d0064ed9151a8

Affected versions
Ubuntu 18.04 LTS (Bionic Beaver)
Ubuntu 20.04 LTS (Focal Fossa)

CVE References

tags: added: security
tags: added: ubuntu-security
removed: security
Revision history for this message
Heather Lemon (hypothetical-lemon) wrote :

bionic - cve-2019-20925 message decompressor to incorrectly allocate memory.

Revision history for this message
Heather Lemon (hypothetical-lemon) wrote :

cve-2019-20925-focal message decompressor to incorrectly allocate memory.

Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "CVE-2019-20925-bionic-20210702.debdiff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

tags: added: patch
tags: added: bug security
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in mongodb (Ubuntu Bionic):
status: New → Confirmed
Changed in mongodb (Ubuntu Focal):
status: New → Confirmed
Changed in mongodb (Ubuntu):
status: New → Confirmed
Revision history for this message
Heather Lemon (hypothetical-lemon) wrote :

reattaching corrected debdiffs

Revision history for this message
Heather Lemon (hypothetical-lemon) wrote :

focal decompressor security fix, reattched for updated quilt header and changelog

Revision history for this message
Heather Lemon (hypothetical-lemon) wrote :

redo patch add CVE tag and update dch and quilt header

Mathew Hodson (mhodson)
Changed in mongodb (Ubuntu):
importance: Undecided → Medium
Changed in mongodb (Ubuntu Bionic):
importance: Undecided → Medium
Changed in mongodb (Ubuntu Focal):
importance: Undecided → Medium
information type: Public → Public Security
no longer affects: mongodb (Ubuntu)
Revision history for this message
Heather Lemon (hypothetical-lemon) wrote :
Revision history for this message
Heather Lemon (hypothetical-lemon) wrote :

rename patch to CVE-2019-20925-SERVER

Changed in mongodb (Ubuntu Focal):
assignee: nobody → Heather Lemon (hypothetical-lemon)
Changed in mongodb (Ubuntu Bionic):
assignee: nobody → Heather Lemon (hypothetical-lemon)
Revision history for this message
Heather Lemon (hypothetical-lemon) wrote :

focal cve-2019-20925

Revision history for this message
Heather Lemon (hypothetical-lemon) wrote :

Hi,

Does anyone need anything else from me from the security side?

Is there a status update or a document showing this is being tracked on a TODO list?

Thanks,
Heather Lemon

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

There's a whole slew of CVEs that are shown to be open in bionic and focal:

https://ubuntu.com/security/cve?q=&package=mongodb&priority=&version=&status=

Is there a reason you only picked this one? If that's on purpose, I'll sponsor the debdiffs this week.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

ACK on the debdiffs in comments #11 and #12. I've uploaded packages for building in the security team PPA here:

https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages

Could you please test them once they've finished building, and I'll release them as security updates. Thanks!

Revision history for this message
Heather Lemon (hypothetical-lemon) wrote :

Yeah will do Thanks!

Revision history for this message
Heather Lemon (hypothetical-lemon) wrote :

Hi Marc, this was actually supposed to go with this other LP https://bugs.launchpad.net/ubuntu/bionic/+source/mongodb/+bug/1934518 but Alex and I missed this one. It got dropped at some point I think we were too focused on the other one.
Thanks!

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mongodb - 1:3.6.9+really3.6.8+90~g8e540c0b6d-0ubuntu5.3

---------------
mongodb (1:3.6.9+really3.6.8+90~g8e540c0b6d-0ubuntu5.3) focal-security; urgency=medium

  * SECURITY UPDATE: message decompressor to incorrectly allocate memory (LP: #1933520)
    - d/p/CVE-2019-20925-SERVER-43751-Recompute-compressor-manager-message-pa.patch:
      An unauthenticated client can trigger denial of service by
      issuing specially crafted wire protocol messages,
      which cause the message decompressor to incorrectly allocate memory
    - CVE-2019-20925

 -- Heather Lemon <email address hidden> Thu, 26 Aug 2021 14:36:35 +0000

Changed in mongodb (Ubuntu Focal):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mongodb - 1:3.6.3-0ubuntu1.4

---------------
mongodb (1:3.6.3-0ubuntu1.4) bionic-security; urgency=medium

  * d/p/CVE-2019-20925-SERVER-43751-Recompute-compressor-manager-message-pa.patch
    Recompute compressor manager message parameters. (LP: #1933520)

 -- Heather Lemon <email address hidden> Tue, 03 Aug 2021 20:57:49 +0000

Changed in mongodb (Ubuntu Bionic):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers