[rpms/php-pecl-mongodb] epel9: Respect libbson nesting limit when parsing PHP objects

[Remi Collet <remi@fedoraproject.org>]

          A new commit has been pushed.

          Repo   : rpms/php-pecl-mongodb
          Branch : epel9
          Commit : 91e826694628a267054b38bf40c72287d2ca0e66
          Author : Remi Collet <remi@fedoraproject.org>
          Date   : 2026-06-10T15:40:40+02:00
          Stats  : +230/-2 in 2 file(s)
          URL    : https://src.fedoraproject.org/rpms/php-pecl-mongodb/c/91e826694628a267054b38bf40c72287d2ca0e66?branch=epel9

          Log:
          Respect libbson nesting limit when parsing PHP objects

CVE-2026-6811

---
diff --git a/mongodb-cve-2026-6811.patch b/mongodb-cve-2026-6811.patch
new file mode 100644
index 0000000..41e13ed
--- /dev/null
+++ b/mongodb-cve-2026-6811.patch
@@ -0,0 +1,221 @@
+From 2060beb85a041182550d022ec223783ffdaf6ec8 Mon Sep 17 00:00:00 2001
+From: Andreas Braun <andreas.braun@mongodb.com>
+Date: Wed, 4 Feb 2026 15:43:01 +0100
+Subject: [PATCH] PHPC-2636: Respect libbson nesting limit when parsing PHP
+ objects (#1934)
+
+---
+ src/phongo_bson.c                            |  7 ++--
+ src/phongo_bson.h                            |  1 +
+ src/phongo_bson_encode.c                     | 25 ++++++++++----
+ tests/bson/bson-document-fromPHP-005.phpt    | 34 ++++++++++++++++++++
+ tests/bson/bson-document-fromPHP-006.phpt    | 34 ++++++++++++++++++++
+ tests/bson/bson-packedarray-fromPHP-002.phpt | 34 ++++++++++++++++++++
+ 6 files changed, 126 insertions(+), 9 deletions(-)
+ create mode 100644 tests/bson/bson-document-fromPHP-005.phpt
+ create mode 100644 tests/bson/bson-document-fromPHP-006.phpt
+ create mode 100644 tests/bson/bson-packedarray-fromPHP-002.phpt
+
+diff --git a/src/phongo_bson.c b/src/phongo_bson.c
+index 92b14e568..3f3a52ae2 100644
+--- a/src/phongo_bson.c
++++ b/src/phongo_bson.c
+@@ -181,12 +181,15 @@ void php_phongo_field_path_write_type_at_current_level(php_phongo_field_path* fi
+ 
+ bool php_phongo_field_path_push(php_phongo_field_path* field_path, const char* element, php_phongo_bson_field_path_item_types element_type)
+ {
+-	php_phongo_field_path_write_item_at_current_level(field_path, element);
++	if (element) {
++		php_phongo_field_path_write_item_at_current_level(field_path, element);
++	}
++
+ 	php_phongo_field_path_write_type_at_current_level(field_path, element_type);
+ 
+ 	field_path->size++;
+ 
+-	return true;
++	return field_path->size <= BSON_MAX_NESTING_LEVEL;
+ }
+ 
+ bool php_phongo_field_path_pop(php_phongo_field_path* field_path)
+diff --git a/src/phongo_bson.h b/src/phongo_bson.h
+index 9f587e554..c8d2f5951 100644
+--- a/src/phongo_bson.h
++++ b/src/phongo_bson.h
+@@ -24,6 +24,7 @@
+ #define BSON_UNSERIALIZE_FUNC_NAME "bsonUnserialize"
+ #define BSON_SERIALIZE_FUNC_NAME "bsonSerialize"
+ #define PHONGO_ODM_FIELD_NAME "__pclass"
++#define BSON_MAX_NESTING_LEVEL 100
+ 
+ typedef enum {
+ 	PHONGO_FIELD_PATH_ITEM_NONE,
+diff --git a/src/phongo_bson_encode.c b/src/phongo_bson_encode.c
+index a9ffa92da..e793ba550 100644
+--- a/src/phongo_bson_encode.c
++++ b/src/phongo_bson_encode.c
+@@ -362,11 +362,15 @@ static void php_phongo_bson_append(bson_t* bson, php_phongo_field_path* field_pa
+ 					break;
+ 				}
+ 
++				if (!php_phongo_field_path_push(field_path, NULL, PHONGO_FIELD_PATH_ITEM_ARRAY)) {
++					phongo_throw_exception(PHONGO_ERROR_UNEXPECTED_VALUE, "Nesting level too deep");
++					php_phongo_zend_hash_apply_protection_end(tmp_ht);
++					break;
++				}
++
+ 				bson_append_array_begin(bson, key, key_len, &child);
+-				php_phongo_field_path_write_type_at_current_level(field_path, PHONGO_FIELD_PATH_ITEM_ARRAY);
+-				field_path->size++;
+ 				php_phongo_zval_to_bson_internal(entry, field_path, flags, &child, NULL);
+-				field_path->size--;
++				php_phongo_field_path_pop(field_path);
+ 				bson_append_array_end(bson, &child);
+ 
+ 				php_phongo_zend_hash_apply_protection_end(tmp_ht);
+@@ -385,14 +389,21 @@ static void php_phongo_bson_append(bson_t* bson, php_phongo_field_path* field_pa
+ 			}
+ 
+ 			if (Z_TYPE_P(entry) == IS_OBJECT && instanceof_function(Z_OBJCE_P(entry), php_phongo_packedarray_ce)) {
+-				php_phongo_field_path_write_type_at_current_level(field_path, PHONGO_FIELD_PATH_ITEM_ARRAY);
++				if (!php_phongo_field_path_push(field_path, NULL, PHONGO_FIELD_PATH_ITEM_ARRAY)) {
++					phongo_throw_exception(PHONGO_ERROR_UNEXPECTED_VALUE, "Nesting level too deep");
++					php_phongo_zend_hash_apply_protection_end(tmp_ht);
++					break;
++				}
+ 			} else {
+-				php_phongo_field_path_write_type_at_current_level(field_path, PHONGO_FIELD_PATH_ITEM_DOCUMENT);
++				if (!php_phongo_field_path_push(field_path, NULL, PHONGO_FIELD_PATH_ITEM_DOCUMENT)) {
++					phongo_throw_exception(PHONGO_ERROR_UNEXPECTED_VALUE, "Nesting level too deep");
++					php_phongo_zend_hash_apply_protection_end(tmp_ht);
++					break;
++				}
+ 			}
+ 
+-			field_path->size++;
+ 			php_phongo_bson_append_object(bson, field_path, flags, key, key_len, entry);
+-			field_path->size--;
++			php_phongo_field_path_pop(field_path);
+ 
+ 			php_phongo_zend_hash_apply_protection_end(tmp_ht);
+ 			break;
+diff --git a/tests/bson/bson-document-fromPHP-005.phpt b/tests/bson/bson-document-fromPHP-005.phpt
+new file mode 100644
+index 000000000..ed3346cf5
+--- /dev/null
++++ b/tests/bson/bson-document-fromPHP-005.phpt
+@@ -0,0 +1,34 @@
++--TEST--
++MongoDB\BSON\Document::fromPHP() respects nesting limit for BSON objects (from array)
++--FILE--
++<?php
++
++require_once __DIR__ . '/../utils/basic.inc';
++
++function createNestedArray(int $levels): array
++{
++    $value = 10;
++    for ($i = 0; $i <= $levels; $i++) {
++        $value = ['nested' => $value];
++    }
++
++    return $value;
++}
++
++echo "Creating document with 100 levels of nesting\n";
++MongoDB\BSON\Document::fromPHP(createNestedArray(100));
++
++echo "Creating document with 101 levels of nesting\n";
++echo throws(function() {
++    MongoDB\BSON\Document::fromPHP(createNestedArray(101));
++}, MongoDB\Driver\Exception\UnexpectedValueException::class), "\n";
++
++?>
++===DONE===
++<?php exit(0); ?>
++--EXPECT--
++Creating document with 100 levels of nesting
++Creating document with 101 levels of nesting
++OK: Got MongoDB\Driver\Exception\UnexpectedValueException
++Nesting level too deep
++===DONE===
+diff --git a/tests/bson/bson-document-fromPHP-006.phpt b/tests/bson/bson-document-fromPHP-006.phpt
+new file mode 100644
+index 000000000..e1811d335
+--- /dev/null
++++ b/tests/bson/bson-document-fromPHP-006.phpt
+@@ -0,0 +1,34 @@
++--TEST--
++MongoDB\BSON\Document::fromPHP() respects nesting limit for BSON objects (from object)
++--FILE--
++<?php
++
++require_once __DIR__ . '/../utils/basic.inc';
++
++function createNestedObject(int $levels): object
++{
++    $value = 10;
++    for ($i = 0; $i <= $levels; $i++) {
++        $value = (object) ['nested' => $value];
++    }
++
++    return $value;
++}
++
++echo "Creating document with 100 levels of nesting\n";
++MongoDB\BSON\Document::fromPHP(createNestedObject(100));
++
++echo "Creating document with 101 levels of nesting\n";
++echo throws(function() {
++    MongoDB\BSON\Document::fromPHP(createNestedObject(101));
++}, MongoDB\Driver\Exception\UnexpectedValueException::class), "\n";
++
++?>
++===DONE===
++<?php exit(0); ?>
++--EXPECT--
++Creating document with 100 levels of nesting
++Creating document with 101 levels of nesting
++OK: Got MongoDB\Driver\Exception\UnexpectedValueException
++Nesting level too deep
++===DONE===
+diff --git a/tests/bson/bson-packedarray-fromPHP-002.phpt b/tests/bson/bson-packedarray-fromPHP-002.phpt
+new file mode 100644
+index 000000000..5442ae5a2
+--- /dev/null
++++ b/tests/bson/bson-packedarray-fromPHP-002.phpt
+@@ -0,0 +1,34 @@
++--TEST--
++MongoDB\BSON\PackedArray::fromPHP() respects nesting limit
++--FILE--
++<?php
++
++require_once __DIR__ . '/../utils/basic.inc';
++
++function createNestedArray(int $levels): array
++{
++    $value = 10;
++    for ($i = 0; $i <= $levels; $i++) {
++        $value = [$value];
++    }
++
++    return $value;
++}
++
++echo "Creating packed array with 100 levels of nesting\n";
++MongoDB\BSON\PackedArray::fromPHP(createNestedArray(100));
++
++echo "Creating packed array with 101 levels of nesting\n";
++echo throws(function() {
++    MongoDB\BSON\PackedArray::fromPHP(createNestedArray(101));
++}, MongoDB\Driver\Exception\UnexpectedValueException::class), "\n";
++
++?>
++===DONE===
++<?php exit(0); ?>
++--EXPECT--
++Creating packed array with 100 levels of nesting
++Creating packed array with 101 levels of nesting
++OK: Got MongoDB\Driver\Exception\UnexpectedValueException
++Nesting level too deep
++===DONE===

diff --git a/php-pecl-mongodb.spec b/php-pecl-mongodb.spec
index f11a5d4..c7fa6bd 100644
--- a/php-pecl-mongodb.spec
+++ b/php-pecl-mongodb.spec
@@ -3,7 +3,7 @@
 #
 # remirepo spec file for php-pecl-mongodb
 #
-# Copyright (c) 2015-2024 Remi Collet
+# Copyright (c) 2015-2026 Remi Collet
 # License: CC-BY-SA-4.0
 # http://creativecommons.org/licenses/by-sa/4.0/
 #
@@ -32,11 +32,13 @@
 Summary:        MongoDB driver for PHP
 Name:           php-pecl-%{pecl_name}
 Version:        %{upstream_version}%{?upstream_lower}
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        Apache-2.0
 URL:            https://pecl.php.net/package/%{pecl_name}
 Source0:        https://pecl.php.net/get/%{pecl_name}-%{upstream_version}%{?upstream_prever}.tgz
 
+Patch0:         %{pecl_name}-cve-2026-6811.patch
+
 BuildRequires:  gcc
 BuildRequires:  php-devel >= 7.4
 BuildRequires:  php-pear
@@ -69,6 +71,7 @@ sed -e 's/role="test"/role="src"/' \
     -i package.xml
 
 pushd %{sources}
+%patch -P0 -p1 -b .cve6811
 
 # Check our macro values
 grep CHECK_MODULES config.m4
@@ -188,6 +191,10 @@ cd ../ZTS
 
 
 %changelog
+* Wed Jun 10 2026 Remi Collet <remi@remirepo.net> - 1.20.1-2
+- Respect libbson nesting limit when parsing PHP objects
+  CVE-2026-6811
+
 * Thu Nov 28 2024 Remi Collet <remi@remirepo.net> - 1.20.1-1
 - update to 1.20.1