Bug#594412: marked as done (CouchDB insecure library loading)

Thu, 09 Sep 2010 13:03:20 -0700 

Your message dated Thu, 09 Sep 2010 20:00:05 +0000
with message-id <[email protected]>
and subject line Bug#594412: fixed in couchdb 0.8.0-2+lenny1
has caused the Debian Bug report #594412,
regarding CouchDB insecure library loading
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
594412: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=594412
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: couchdb
Severity: grave
Tags: security

The following was posted to oss-security:

Date: Wed, 25 Aug 2010 14:52:52 -0400
From: Dan Rosenberg <[email protected]>
Subject: [oss-security] CVE request: CouchDB insecure library loading 
(Debian/Ubuntu only)

I discovered that the /usr/bin/couchdb script on Debian/Ubuntu sets an
insecure LD_LIBRARY_PATH environment variable, such that libraries
from the current directory are loaded.  If a local attacker placed a
maliciously crafted shared library in a directory and an administrator
were tricked into launching CouchDB from this directory, arbitrary
code execution could be achieved.  This vulnerability is only
triggered when the /usr/bin/couchdb script is executed explicitly,
since the init script (/etc/init.d/couchdb) changes the current
directory before launching CouchDB.

The vulnerability was introduced by Debian patch
"mozjs1.9_ldlibpath.patch" on 3/24/2009.


Cheers,
       Moritz


-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core)
Locale: LANG=C, lc_ctype=de_de.iso-8859...@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash

Versions of packages couchdb depends on:
ii  adduser                       3.112      add and remove users and groups
pn  erlang-abi-11.b.3             <none>     (no description available)
pn  erlang-nox                    <none>     (no description available)
ii  libc6                         2.11.2-2   Embedded GNU C Library: Shared lib
pn  libicu38                      <none>     (no description available)
pn  libmozjs1d                    <none>     (no description available)
ii  lsb-base                      3.2-23.1   Linux Standard Base 3.2 init scrip
ii  mime-support                  3.48-1     MIME files 'mime.types' & 'mailcap

couchdb recommends no packages.

couchdb suggests no packages.

--- End Message ---
--- Begin Message --- 
Source: couchdb
Source-Version: 0.8.0-2+lenny1

We believe that the bug you reported is fixed in the latest version of
couchdb, which is due to be installed in the Debian FTP archive:

couchdb_0.8.0-2+lenny1.diff.gz
  to main/c/couchdb/couchdb_0.8.0-2+lenny1.diff.gz
couchdb_0.8.0-2+lenny1.dsc
  to main/c/couchdb/couchdb_0.8.0-2+lenny1.dsc
couchdb_0.8.0-2+lenny1_i386.deb
  to main/c/couchdb/couchdb_0.8.0-2+lenny1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sebastien Delafond <[email protected]> (supplier of updated couchdb package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 07 Sep 2010 11:25:15 +0200
Source: couchdb
Binary: couchdb
Architecture: source i386
Version: 0.8.0-2+lenny1
Distribution: stable-security
Urgency: high
Maintainer: Noah Slater <[email protected]>
Changed-By: Sebastien Delafond <[email protected]>
Description: 
 couchdb    - a RESTful document oriented database
Closes: 594412
Changes: 
 couchdb (0.8.0-2+lenny1) stable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Remove insecure LD_LIBRARY_PATH setting (Closes: #594412).
     CVE-2010-2953.
Checksums-Sha1: 
 03b01d947c62140624a519bbc42362461823bb64 1309 couchdb_0.8.0-2+lenny1.dsc
 e70e1f19f0227768a6b935ff25b98ee62063b651 560637 couchdb_0.8.0.orig.tar.gz
 64104b87d5447c876f72c89b191abc1c370e4d90 4941 couchdb_0.8.0-2+lenny1.diff.gz
 40f069cd14363f2396ab5bf821580ff0d759b56a 275686 couchdb_0.8.0-2+lenny1_i386.deb
Checksums-Sha256: 
 16ffd6a8d0a4b1862b186549f943623ebdba33a0d80d461ceff14d6d8eb58487 1309 
couchdb_0.8.0-2+lenny1.dsc
 6d2c4fd363d88ab962d1682125591b1a70ec55a46bff482d5db40def208b1334 560637 
couchdb_0.8.0.orig.tar.gz
 feb9a9445237c4b8e6c6b967a0c300aa3e96a2fd7eb44ddad91f4aa9aea35057 4941 
couchdb_0.8.0-2+lenny1.diff.gz
 a6e8b5f53dcb241501326598ca152ba38afc7098ea9491d47d0ef5f3281a9207 275686 
couchdb_0.8.0-2+lenny1_i386.deb
Files: 
 2a4a53978b085f1222e75f6106f4ee4d 1309 misc optional couchdb_0.8.0-2+lenny1.dsc
 0837bce26ed2ab2ce2efd65e86c85bfc 560637 misc optional couchdb_0.8.0.orig.tar.gz
 dca93014f06c7521660ebe5e2c2309da 4941 misc optional 
couchdb_0.8.0-2+lenny1.diff.gz
 f0135ec654b502ecbcbdaa26f65542c4 275686 misc optional 
couchdb_0.8.0-2+lenny1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkyGFf8ACgkQiZgNKcDdyD8GWACfUILS5nxeIju3qZTwGtssDPqP
vsAAoKd1Ys0h7Um2NcfkPkuAZT9TTIgE
=AZ8f
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to