CVE-2018-16790

NameCVE-2018-16790
Description_bson_iter_next_internal in bson-iter.c in libbson 1.12.0, as used in MongoDB mongo-c-driver and other products, has a heap-based buffer over-read via a crafted bson buffer.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs913896, 913963

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libbson (PTS)stretch1.4.2-1vulnerable
mongo-c-driver (PTS)buster1.14.0-1fixed
bullseye1.17.6-1fixed
bookworm1.23.1-1fixed
sid, trixie1.29.0-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libbsonsource(unstable)(unfixed)913896
mongo-c-driversource(unstable)1.13.0-1913963

Notes

[stretch] - libbson <no-dsa> (Minor issue)
https://jira.mongodb.org/browse/CDRIVER-2819
https://github.com/mongodb/mongo-c-driver/commit/0d9a4d98bfdf4acd2c0138d4aaeb4e2e0934bd84
Search for package or bug name: Reporting problems