[mongodb] Fix for CVE-2013-1892
tdawson
tdawson at fedoraproject.org
Wed Mar 27 23:01:48 UTC 2013
commit dd4c9740e468d4f240de47ec28482dccf10e3232
Author: Troy Dawson <tdawson at redhat.com>
Date: Wed Mar 27 18:01:38 2013 -0500
Fix for CVE-2013-1892
...db-2.2.3-CVE-2013-1892-avoid-raw-pointers.patch | 171 ++++++++++++++++++++
mongodb.spec | 9 +-
2 files changed, 179 insertions(+), 1 deletions(-)
---
diff --git a/mongodb-2.2.3-CVE-2013-1892-avoid-raw-pointers.patch b/mongodb-2.2.3-CVE-2013-1892-avoid-raw-pointers.patch
new file mode 100644
index 0000000..a60d765
--- /dev/null
+++ b/mongodb-2.2.3-CVE-2013-1892-avoid-raw-pointers.patch
@@ -0,0 +1,171 @@
+diff -urp mongodb-src-r2.2.3.orig/src/mongo/scripting/engine_spidermonkey.cpp mongodb-src-r2.2.3/src/mongo/scripting/engine_spidermonkey.cpp
+--- mongodb-src-r2.2.3.orig/src/mongo/scripting/engine_spidermonkey.cpp 2013-01-31 09:18:33.000000000 -0600
++++ mongodb-src-r2.2.3/src/mongo/scripting/engine_spidermonkey.cpp 2013-03-27 15:50:39.857872807 -0500
+@@ -45,6 +45,9 @@
+
+ namespace mongo {
+
++ typedef std::map<double, NativeFunction> FunctionMap;
++ typedef std::map<double, void*> ArgumentMap;
++
+ string trim( string s ) {
+ while ( s.size() && isspace( s[0] ) )
+ s = s.substr( 1 );
+@@ -1174,56 +1177,8 @@ namespace mongo {
+ return JS_TRUE;
+ }
+
+- JSBool native_helper( JSContext *cx , JSObject *obj , uintN argc, jsval *argv , jsval *rval ) {
+- try {
+- Convertor c(cx);
+- NativeFunction func = reinterpret_cast<NativeFunction>(
+- static_cast<long long>( c.getNumber( obj , "x" ) ) );
+- void* data = reinterpret_cast<void*>(
+- static_cast<long long>( c.getNumber( obj , "y" ) ) );
+- verify( func );
+-
+- BSONObj a;
+- if ( argc > 0 ) {
+- BSONObjBuilder args;
+- for ( uintN i = 0; i < argc; ++i ) {
+- c.append( args , args.numStr( i ) , argv[i] );
+- }
+- a = args.obj();
+- }
+-
+- BSONObj out;
+- try {
+- out = func( a, data );
+- }
+- catch ( std::exception& e ) {
+- if ( ! JS_IsExceptionPending( cx ) ) {
+- JS_ReportError( cx, e.what() );
+- }
+- return JS_FALSE;
+- }
+-
+- if ( out.isEmpty() ) {
+- *rval = JSVAL_VOID;
+- }
+- else {
+- *rval = c.toval( out.firstElement() );
+- }
+- }
+- catch ( const AssertionException& e ) {
+- if ( ! JS_IsExceptionPending( cx ) ) {
+- JS_ReportError( cx, e.what() );
+- }
+- return JS_FALSE;
+- }
+- catch ( const std::exception& e ) {
+- log() << "unhandled exception: " << e.what() << ", throwing Fatal Assertion" << endl;
+- fassertFailed( 16281 );
+- }
+- return JS_TRUE;
+- }
+-
+ JSBool native_load( JSContext *cx , JSObject *obj , uintN argc, jsval *argv , jsval *rval );
++ JSBool native_helper(JSContext *cx, JSObject *obj, uintN argc, jsval *argv, jsval *rval);
+
+ JSBool native_gc( JSContext *cx , JSObject *obj , uintN argc, jsval *argv , jsval *rval ) {
+ JS_GC( cx );
+@@ -1869,12 +1824,16 @@ namespace mongo {
+ smlock;
+ string name = field;
+ jsval v;
+- v = _convertor->toval( static_cast<double>( reinterpret_cast<long long>(func) ) );
++ double funcId = static_cast<double>(_functionMap.size());
++ _functionMap.insert(make_pair(funcId, func));
++ v = _convertor->toval(funcId);
+ _convertor->setProperty( _global, (name + "_").c_str(), v );
+
+ stringstream code;
+ if (data) {
+- v = _convertor->toval( static_cast<double>( reinterpret_cast<long long>(data) ) );
++ double argsId = static_cast<double>(_argumentMap.size());
++ _argumentMap.insert(make_pair(argsId, data));
++ v = _convertor->toval(argsId);
+ _convertor->setProperty( _global, (name + "_data_").c_str(), v );
+ code << field << "_" << " = { x : " << field << "_ , y: " << field << "_data_ }; ";
+ } else {
+@@ -1892,6 +1851,10 @@ namespace mongo {
+
+ JSContext *SavedContext() const { return _context; }
+
++ // map from internal function id to function pointer
++ FunctionMap _functionMap;
++ // map from internal function argument id to function pointer
++ ArgumentMap _argumentMap;
+ private:
+
+ void _postCreateHacks() {
+@@ -1970,7 +1933,69 @@ namespace mongo {
+ return JS_TRUE;
+ }
+
++ JSBool native_helper( JSContext *cx , JSObject *obj , uintN argc, jsval *argv , jsval *rval ) {
++ try {
++ Convertor c(cx);
++
++ // get function pointer from JS caller's argument property 'x'
++ massert(16735, "nativeHelper argument requires object with 'x' property",
++ c.hasProperty(obj, "x"));
++ double functionAddress = c.getNumber(obj, "x");
++ FunctionMap::iterator funcIter = currentScope->_functionMap.find(functionAddress);
++ massert(16734, "JavaScript function not in map",
++ funcIter != currentScope->_functionMap.end());
++ NativeFunction func = funcIter->second;
++ verify(func);
++
++ // get data pointer from JS caller's argument property 'y'
++ void* data = NULL;
++ if (c.hasProperty(obj, "y")) {
++ double argumentAddress = c.getNumber(obj, "y");
++ ArgumentMap::iterator argIter = currentScope->_argumentMap.find(argumentAddress);
++ massert(16736, "nativeHelper 'y' parameter must be in the argumentMap",
++ argIter != currentScope->_argumentMap.end());
++ data = argIter->second;
++ }
++
++ BSONObj a;
++ if ( argc > 0 ) {
++ BSONObjBuilder args;
++ for ( uintN i = 0; i < argc; ++i ) {
++ c.append( args , args.numStr( i ) , argv[i] );
++ }
++ a = args.obj();
++ }
++
++ BSONObj out;
++ try {
++ out = func( a, data );
++ }
++ catch ( std::exception& e ) {
++ if ( ! JS_IsExceptionPending( cx ) ) {
++ JS_ReportError( cx, e.what() );
++ }
++ return JS_FALSE;
++ }
+
++ if ( out.isEmpty() ) {
++ *rval = JSVAL_VOID;
++ }
++ else {
++ *rval = c.toval( out.firstElement() );
++ }
++ }
++ catch ( const AssertionException& e ) {
++ if ( ! JS_IsExceptionPending( cx ) ) {
++ JS_ReportError( cx, e.what() );
++ }
++ return JS_FALSE;
++ }
++ catch ( const std::exception& e ) {
++ log() << "unhandled exception: " << e.what() << ", throwing Fatal Assertion" << endl;
++ fassertFailed( 16281 );
++ }
++ return JS_TRUE;
++ }
+
+ void SMEngine::runTest() {
+ SMScope s;
diff --git a/mongodb.spec b/mongodb.spec
index 99669b9..5cd52d7 100644
--- a/mongodb.spec
+++ b/mongodb.spec
@@ -2,7 +2,7 @@
Name: mongodb
Version: 2.2.3
-Release: 3%{?dist}
+Release: 4%{?dist}
Summary: High-performance, schema-free document-oriented database
Group: Applications/Databases
License: AGPLv3 and zlib and ASL 2.0
@@ -31,6 +31,9 @@ Patch7: mongodb-2.2.0-use-system-version.patch
Patch8: mongodb-2.2.0-shared-library.patch
##Patch 9 - https://jira.mongodb.org/browse/SERVER-5575
Patch9: mongodb-2.2.0-full-flag.patch
+##Patch 10 - https://bugzilla.redhat.com/show_bug.cgi?id=927536
+##Patch 10 - https://jira.mongodb.org/browse/SERVER-9124
+Patch10: mongodb-2.2.3-CVE-2013-1892-avoid-raw-pointers.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -123,6 +126,7 @@ software, default configuration files, and init scripts.
%ifarch %ix86
%patch9 -p1
%endif
+%patch10 -p1
# spurious permissions
chmod -x README
@@ -296,6 +300,9 @@ fi
%{_includedir}
%changelog
+* Wed Mar 27 2013 Troy Dawson <tdawson at redhat.com> - 2.2.3-4
+- Fix for CVE-2013-1892
+
* Sun Feb 10 2013 Denis Arnaud <denis.arnaud_fedora at m4x.org> - 2.2.3-3
- Rebuild for Boost-1.53.0
More information about the scm-commits
mailing list