Debian Bug report logs - #594412
CouchDB insecure library loading

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CouchDB insecure library loading

Date: Wed, 25 Aug 2010 21:50:53 +0200

Package: couchdb
Severity: grave
Tags: security

The following was posted to oss-security:

Date: Wed, 25 Aug 2010 14:52:52 -0400
From: Dan Rosenberg <dan.j.rosenberg@gmail.com>
Subject: [oss-security] CVE request: CouchDB insecure library loading (Debian/Ubuntu only)

I discovered that the /usr/bin/couchdb script on Debian/Ubuntu sets an
insecure LD_LIBRARY_PATH environment variable, such that libraries
from the current directory are loaded.  If a local attacker placed a
maliciously crafted shared library in a directory and an administrator
were tricked into launching CouchDB from this directory, arbitrary
code execution could be achieved.  This vulnerability is only
triggered when the /usr/bin/couchdb script is executed explicitly,
since the init script (/etc/init.d/couchdb) changes the current
directory before launching CouchDB.

The vulnerability was introduced by Debian patch
"mozjs1.9_ldlibpath.patch" on 3/24/2009.


Cheers,
       Moritz


-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash

Versions of packages couchdb depends on:
ii  adduser                       3.112      add and remove users and groups
pn  erlang-abi-11.b.3             <none>     (no description available)
pn  erlang-nox                    <none>     (no description available)
ii  libc6                         2.11.2-2   Embedded GNU C Library: Shared lib
pn  libicu38                      <none>     (no description available)
pn  libmozjs1d                    <none>     (no description available)
ii  lsb-base                      3.2-23.1   Linux Standard Base 3.2 init scrip
ii  mime-support                  3.48-1     MIME files 'mime.types' & 'mailcap

couchdb recommends no packages.

couchdb suggests no packages.

Message #10 received at 594412@bugs.debian.org (full text, mbox, reply):

From: Gerfried Fuchs <rhonda@deb.at>

To: Moritz Muehlenhoff <jmm@debian.org>, 594412@bugs.debian.org

Subject: Re: Bug#594412: CouchDB insecure library loading

Date: Mon, 30 Aug 2010 14:40:28 +0200

	Hi, Moritz!

* Moritz Muehlenhoff <jmm@debian.org> [2010-08-25 21:50:53 CEST]:
> Package: couchdb
> Severity: grave
> Tags: security
> 
> The vulnerability was introduced by Debian patch
> "mozjs1.9_ldlibpath.patch" on 3/24/2009.

 I fail to find this patch neither in the lenny package nor in the
squeeze package, and there was no changelog entry or upload around the
mentioned time. Are you sure about these fineprints?

 Thanks in advance,
Rhonda
-- 
https://flattr.com/thing/47066/Debian-BTS-cleaning-up

Message #19 received at 594412@bugs.debian.org (full text, mbox, reply):

From: Gerfried Fuchs <rhonda@deb.at>

To: 594412@bugs.debian.org

Subject: Re: Bug#594412: CouchDB insecure library loading

Date: Tue, 7 Sep 2010 09:58:18 +0200

	Hi again!

* Gerfried Fuchs <rhonda@deb.at> [2010-08-30 14:40:28 CEST]:
> * Moritz Muehlenhoff <jmm@debian.org> [2010-08-25 21:50:53 CEST]:
> > Package: couchdb
> > Severity: grave
> > Tags: security
> > 
> > The vulnerability was introduced by Debian patch
> > "mozjs1.9_ldlibpath.patch" on 3/24/2009.
> 
>  I fail to find this patch neither in the lenny package nor in the
> squeeze package, and there was no changelog entry or upload around the
> mentioned time. Are you sure about these fineprints?

 Alright, after some chat with Moritz and other security people I better
understand the issue, the patch icu-config.patch in the lenny package
also has the problem, it would depend on an already set LD_LIBRARY_PATH
environment variable. In the case it isn't set (which is the default) it
has the insecure behavior depending on the current directory.

 A test for existence of the variable should be done and depending on
that either get extended or explicitly set only to the variable. I
though question the need of the patch - /usr/lib is searched by default
anyway? What's the background of that? I didn't find any hint in the
changelog - and that's one of the reasons why a comment in the patch
file would be really helpful. :)

 Thanks!
Rhonda
-- 
https://flattr.com/thing/47066/Debian-BTS-cleaning-up

Message #24 received at 594412-close@bugs.debian.org (full text, mbox, reply):

From: Sebastien Delafond <seb@debian.org>

To: 594412-close@bugs.debian.org

Subject: Bug#594412: fixed in couchdb 0.8.0-2+lenny1

Date: Thu, 09 Sep 2010 20:00:05 +0000

Source: couchdb
Source-Version: 0.8.0-2+lenny1

We believe that the bug you reported is fixed in the latest version of
couchdb, which is due to be installed in the Debian FTP archive:

couchdb_0.8.0-2+lenny1.diff.gz
  to main/c/couchdb/couchdb_0.8.0-2+lenny1.diff.gz
couchdb_0.8.0-2+lenny1.dsc
  to main/c/couchdb/couchdb_0.8.0-2+lenny1.dsc
couchdb_0.8.0-2+lenny1_i386.deb
  to main/c/couchdb/couchdb_0.8.0-2+lenny1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 594412@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sebastien Delafond <seb@debian.org> (supplier of updated couchdb package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 07 Sep 2010 11:25:15 +0200
Source: couchdb
Binary: couchdb
Architecture: source i386
Version: 0.8.0-2+lenny1
Distribution: stable-security
Urgency: high
Maintainer: Noah Slater <nslater@bytesexual.org>
Changed-By: Sebastien Delafond <seb@debian.org>
Description: 
 couchdb    - a RESTful document oriented database
Closes: 594412
Changes: 
 couchdb (0.8.0-2+lenny1) stable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Remove insecure LD_LIBRARY_PATH setting (Closes: #594412).
     CVE-2010-2953.
Checksums-Sha1: 
 03b01d947c62140624a519bbc42362461823bb64 1309 couchdb_0.8.0-2+lenny1.dsc
 e70e1f19f0227768a6b935ff25b98ee62063b651 560637 couchdb_0.8.0.orig.tar.gz
 64104b87d5447c876f72c89b191abc1c370e4d90 4941 couchdb_0.8.0-2+lenny1.diff.gz
 40f069cd14363f2396ab5bf821580ff0d759b56a 275686 couchdb_0.8.0-2+lenny1_i386.deb
Checksums-Sha256: 
 16ffd6a8d0a4b1862b186549f943623ebdba33a0d80d461ceff14d6d8eb58487 1309 couchdb_0.8.0-2+lenny1.dsc
 6d2c4fd363d88ab962d1682125591b1a70ec55a46bff482d5db40def208b1334 560637 couchdb_0.8.0.orig.tar.gz
 feb9a9445237c4b8e6c6b967a0c300aa3e96a2fd7eb44ddad91f4aa9aea35057 4941 couchdb_0.8.0-2+lenny1.diff.gz
 a6e8b5f53dcb241501326598ca152ba38afc7098ea9491d47d0ef5f3281a9207 275686 couchdb_0.8.0-2+lenny1_i386.deb
Files: 
 2a4a53978b085f1222e75f6106f4ee4d 1309 misc optional couchdb_0.8.0-2+lenny1.dsc
 0837bce26ed2ab2ce2efd65e86c85bfc 560637 misc optional couchdb_0.8.0.orig.tar.gz
 dca93014f06c7521660ebe5e2c2309da 4941 misc optional couchdb_0.8.0-2+lenny1.diff.gz
 f0135ec654b502ecbcbdaa26f65542c4 275686 misc optional couchdb_0.8.0-2+lenny1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkyGFf8ACgkQiZgNKcDdyD8GWACfUILS5nxeIju3qZTwGtssDPqP
vsAAoKd1Ys0h7Um2NcfkPkuAZT9TTIgE
=AZ8f
-----END PGP SIGNATURE-----

Message #29 received at 594412-done@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Moritz Muehlenhoff <jmm@debian.org>

Cc: 594412-done@bugs.debian.org

Subject: Re: CouchDB insecure library loading

Date: Fri, 8 Oct 2010 18:46:10 +0200

Version: 0.11.0-1

Send a report that this bug log contains spam.