<!-- 
RSS generated by JIRA (9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66) at Thu Feb 08 05:56:26 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary append 'field=key&field=summary' to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>MongoDB Jira</title>
    <link>https://jira.mongodb.org</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>9.7.1</version>
        <build-number>970001</build-number>
        <build-date>13-04-2023</build-date>
    </build-info>


<item>
            <title>[SERVER-62922] Add explicit bounds checks for OpenSSL EVP outputs</title>
                <link>https://jira.mongodb.org/browse/SERVER-62922</link>
                <project id="10000" key="SERVER">Core Server</project>
                    <description>&lt;p&gt;OpenSSL exposes a uniform interface for encryption and decryption called &quot;EVP&quot;. EVP functions generally accept an input, input length, and and output buffer and an output length(&lt;tt&gt;outl&lt;/tt&gt;). EVP will process every byte in the input, and write it into the output. The exact cipher being used will determine how many bytes will be written into the output. For example, stream ciphers will generally add no overhead, while block ciphers can create as much as a block&apos;s worth of extra data. According to the &lt;a href=&quot;https://www.openssl.org/docs/man3.0/man3/EVP_EncryptUpdate.html&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;OpenSSL documentation&lt;/a&gt;, OpenSSL will return however many bytes were written into the output buffer into &lt;tt&gt;outl&lt;/tt&gt;. It does not appear to actually read data from this argument, and their example code shows the address of an uninitialized &lt;tt&gt;int&lt;/tt&gt; being passed into EVP_EncryptUpdate.&lt;/p&gt;

&lt;p&gt;While there are no known issues due to this behaviour, the Apple and Windows cryptography implementations appear to accept the size of the output buffer in their encryption/decryption routines and likely enforce invariants.&lt;/p&gt;

&lt;p&gt;We should attempt to compute however many bytes we believe OpenSSL will consume from the output buffer, and throw a bad Status if it would overrun, before invoking EVP methods.&lt;/p&gt;</description>
                <environment></environment>
        <key id="1969550">SERVER-62922</key>
            <summary>Add explicit bounds checks for OpenSSL EVP outputs</summary>
                <type id="3" iconUrl="https://jira.mongodb.org/secure/viewavatar?size=xsmall&amp;avatarId=14718&amp;avatarType=issuetype">Task</type>
                                            <priority id="3" iconUrl="https://jira.mongodb.org/images/icons/priorities/major.svg">Major - P3</priority>
                        <status id="6" iconUrl="https://jira.mongodb.org/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="success"/>
                                    <resolution id="13201">Fixed</resolution>
                                        <assignee username="brad.moore@mongodb.com">Brad Moore</assignee>
                                    <reporter username="spencer.jackson@mongodb.com">Spencer Jackson</reporter>
                        <labels>
                            <label>auto-reverted</label>
                            <label>neweng</label>
                            <label>neweng-brad</label>
                    </labels>
                <created>Mon, 24 Jan 2022 16:57:52 +0000</created>
                <updated>Sun, 29 Oct 2023 21:43:44 +0000</updated>
                            <resolved>Sun, 30 Apr 2023 12:41:02 +0000</resolved>
                                                    <fixVersion>7.1.0-rc0</fixVersion>
                                                        <votes>0</votes>
                                    <watches>5</watches>
                                                                                                                <comments>
                            <comment id="5387785" author="xgen-internal-githook" created="Sat, 29 Apr 2023 14:42:16 +0000"  >&lt;p&gt;Author: &lt;/p&gt;
{&apos;name&apos;: &apos;W. Brad Moore&apos;, &apos;email&apos;: &apos;brad.moore@mongodb.com&apos;, &apos;username&apos;: &apos;wbradmoore&apos;}
&lt;p&gt;Message: &lt;a href=&quot;https://jira.mongodb.org/browse/SERVER-62922&quot; title=&quot;Add explicit bounds checks for OpenSSL EVP outputs&quot; class=&quot;issue-link&quot; data-issue-key=&quot;SERVER-62922&quot;&gt;&lt;del&gt;SERVER-62922&lt;/del&gt;&lt;/a&gt;: Add explicit bounds checks for OpenSSL EVP outputs; linux-only unit tests&lt;br/&gt;
Branch: master&lt;br/&gt;
&lt;a href=&quot;https://github.com/mongodb/mongo/commit/7119eeb3c88cd787c686b8fc201a720f1c9e91e4&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/mongodb/mongo/commit/7119eeb3c88cd787c686b8fc201a720f1c9e91e4&lt;/a&gt;&lt;/p&gt;</comment>
                            <comment id="5376562" author="xgen-buildbaron-user" created="Wed, 26 Apr 2023 10:07:05 +0000"  >&lt;p&gt;Ticket re-opened due to revert. &lt;a href=&quot;https://evergreen.mongodb.com/task/mongodb_mongo_master_windows_compile_required_run_unittests_a199d5f7b81b303f0eb155469593889db5d8c4ef_23_04_26_03_10_55&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;run_unittests&lt;/a&gt; began a consistent failure of build\install\bin\crypto_test.exe&lt;/p&gt;</comment>
                            <comment id="5376546" author="xgen-internal-githook" created="Wed, 26 Apr 2023 10:00:09 +0000"  >&lt;p&gt;Author: &lt;/p&gt;
{&apos;name&apos;: &apos;auto-revert-processor&apos;, &apos;email&apos;: &apos;dev-prod-dag@mongodb.com&apos;, &apos;username&apos;: &apos;&apos;}
&lt;p&gt;Message: Revert &quot;&lt;a href=&quot;https://jira.mongodb.org/browse/SERVER-62922&quot; title=&quot;Add explicit bounds checks for OpenSSL EVP outputs&quot; class=&quot;issue-link&quot; data-issue-key=&quot;SERVER-62922&quot;&gt;&lt;del&gt;SERVER-62922&lt;/del&gt;&lt;/a&gt;: Add explicit bounds checks for OpenSSL EVP outputs&quot;&lt;/p&gt;

&lt;p&gt;This reverts commit a199d5f7b81b303f0eb155469593889db5d8c4ef.&lt;br/&gt;
Branch: master&lt;br/&gt;
&lt;a href=&quot;https://github.com/mongodb/mongo/commit/bc26bc0fcb01ffb24bba056c5625d09a47985fb3&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/mongodb/mongo/commit/bc26bc0fcb01ffb24bba056c5625d09a47985fb3&lt;/a&gt;&lt;/p&gt;</comment>
                            <comment id="5375784" author="xgen-internal-githook" created="Wed, 26 Apr 2023 03:10:59 +0000"  >&lt;p&gt;Author: &lt;/p&gt;
{&apos;name&apos;: &apos;W. Brad Moore&apos;, &apos;email&apos;: &apos;brad.moore@mongodb.com&apos;, &apos;username&apos;: &apos;wbradmoore&apos;}
&lt;p&gt;Message: &lt;a href=&quot;https://jira.mongodb.org/browse/SERVER-62922&quot; title=&quot;Add explicit bounds checks for OpenSSL EVP outputs&quot; class=&quot;issue-link&quot; data-issue-key=&quot;SERVER-62922&quot;&gt;&lt;del&gt;SERVER-62922&lt;/del&gt;&lt;/a&gt;: Add explicit bounds checks for OpenSSL EVP outputs&lt;br/&gt;
Branch: master&lt;br/&gt;
&lt;a href=&quot;https://github.com/mongodb/mongo/commit/a199d5f7b81b303f0eb155469593889db5d8c4ef&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/mongodb/mongo/commit/a199d5f7b81b303f0eb155469593889db5d8c4ef&lt;/a&gt;&lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10520">
                    <name>Problem/Incident</name>
                                            <outwardlinks description="causes">
                                                        </outwardlinks>
                                                        </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                <customfield id="customfield_10050" key="com.atlassian.jira.toolkit:comments">
                        <customfieldname># Replies</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>4.0</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_18555" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname># of Sprints</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>4.0</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                    <customfield id="customfield_12751" key="com.atlassian.jira.plugin.system.customfieldtypes:multiselect">
                        <customfieldname>Assigned Teams</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="25129"><![CDATA[Server Security]]></customfieldvalue>
    
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                            <customfield id="customfield_10011" key="com.atlassian.jira.plugin.system.customfieldtypes:radiobuttons">
                        <customfieldname>Backwards Compatibility</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10038"><![CDATA[Fully Compatible]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                            <customfield id="customfield_10055" key="com.atlassian.jira.ext.charting:firstresponsedate">
                        <customfieldname>Date of 1st Reply</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>Tue, 18 Apr 2023 16:34:36 +0000</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10052" key="com.atlassian.jira.toolkit:dayslastcommented">
                        <customfieldname>Days since reply</customfieldname>
                        <customfieldvalues>
                                        40 weeks, 4 days ago
    
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_18254" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Dependencies</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue><![CDATA[]]></customfieldvalue>


                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_15850" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummary">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                        <customfield id="customfield_17050" key="com.atlassian.jira.plugin.system.customfieldtypes:radiobuttons">
                        <customfieldname>Downstream Team Attention</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="16941"><![CDATA[Not Needed]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10057" key="com.atlassian.jira.toolkit:lastusercommented">
                        <customfieldname>Last comment by Customer</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>true</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_10056" key="com.atlassian.jira.toolkit:lastupdaterorcommenter">
                        <customfieldname>Last commenter</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>luke.bonanomi@mongodb.com</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_11151" key="com.atlassian.jira.toolkit:LastCommentDate">
                        <customfieldname>Last public comment date</customfieldname>
                        <customfieldvalues>
                            40 weeks, 4 days ago
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_16465" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Linked BF Score</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>0.0</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                        <customfield id="customfield_10051" key="com.atlassian.jira.toolkit:participants">
                        <customfieldname>Participants</customfieldname>
                        <customfieldvalues>
                                        <customfieldvalue>brad.moore@mongodb.com</customfieldvalue>
            <customfieldvalue>xgen-internal-githook</customfieldvalue>
            <customfieldvalue>spencer.jackson@mongodb.com</customfieldvalue>
            <customfieldvalue>Xgen-BuildBaron-User</customfieldvalue>
    
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                        <customfield id="customfield_14254" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Product Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1|i0htlr:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                <customfield id="customfield_12550" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>2|hx1yn0:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10558" key="com.pyxis.greenhopper.jira:gh-global-rank">
                        <customfieldname>Rank (Obsolete)</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>9223372036854775807</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_23361" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Requested By</customfieldname>
                        <customfieldvalues>
                                

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                            <customfield id="customfield_22250" key="com.atlassian.jira.plugin.system.customfieldtypes:radiobuttons">
                        <customfieldname>Special Downgrade Instructions Required</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="23343"><![CDATA[Not Needed]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10557" key="com.pyxis.greenhopper.jira:gh-sprint">
                        <customfieldname>Sprint</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue id="5700">Security 2022-02-07</customfieldvalue>
    <customfieldvalue id="6922">Security 2023-04-03</customfieldvalue>
    <customfieldvalue id="6923">Security 2023-04-17</customfieldvalue>
    <customfieldvalue id="6924">Security 2023-05-01</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                            <customfield id="customfield_10053" key="com.atlassian.jira.ext.charting:timeinstatus">
                        <customfieldname>Time In Status</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_22870" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Triagers</customfieldname>
                        <customfieldvalues>
                                

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_14350" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>serverRank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1|i0hfr3:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                    </customfields>
    </item>
</channel>
</rss>