| Package | libbson |
|---|---|
| Version | 1.4.2-1+deb9u1 (stretch) |
| Related CVEs | CVE-2017-14227 CVE-2018-16790 CVE-2023-0437 CVE-2024-6381 CVE-2024-6383 CVE-2025-0755 |
Multiple vulnerabilities have been discovered in the MongoDB BSON library.
CVE-2017-14227
The bson_iter_codewscope function in bson-iter.c miscalculates a
bson_utf8_validate length argument, which allows remote attackers to
cause a denial of service (heap-based buffer over-read in the
bson_utf8_validate function in bson-utf8.c).
CVE-2018-16790
_bson_iter_next_internal in bson-iter.c has a heap-based buffer
over-read via a crafted bson buffer.
CVE-2023-0437
When calling bson_utf8_validate on some inputs a loop with an exit
condition that cannot be reached may occur, i.e. an infinite loop.
CVE-2024-6381
The bson_strfreev function in the MongoDB C driver library may be
susceptible to an integer overflow where the function will try to
free memory at a negative offset. This may result in memory
corruption.
CVE-2024-6383
The bson_string_append function in MongoDB C Driver may be
vulnerable to a buffer overflow where the function might attempt to
allocate too small of buffer and may lead to memory corruption of
neighbouring heap memory.
CVE-2025-0755
The various bson_append functions in the MongoDB C driver library
may be susceptible to buffer overflow when performing operations
that could result in a final BSON document which exceeds the maximum
allowable size (INT32_MAX), resulting in a segmentation fault and
possible application crash.
For Debian 9 stretch, these problems have been fixed in version 1.4.2-1+deb9u1.
We recommend that you upgrade your libbson packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.