Package: couchdb Severity: grave Tags: security The following was posted to oss-security:
Date: Wed, 25 Aug 2010 14:52:52 -0400 From: Dan Rosenberg <[email protected]> Subject: [oss-security] CVE request: CouchDB insecure library loading (Debian/Ubuntu only) I discovered that the /usr/bin/couchdb script on Debian/Ubuntu sets an insecure LD_LIBRARY_PATH environment variable, such that libraries from the current directory are loaded. If a local attacker placed a maliciously crafted shared library in a directory and an administrator were tricked into launching CouchDB from this directory, arbitrary code execution could be achieved. This vulnerability is only triggered when the /usr/bin/couchdb script is executed explicitly, since the init script (/etc/init.d/couchdb) changes the current directory before launching CouchDB. The vulnerability was introduced by Debian patch "mozjs1.9_ldlibpath.patch" on 3/24/2009. Cheers, Moritz -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core) Locale: LANG=C, lc_ctype=de_de.iso-8859...@euro (charmap=ISO-8859-15) Shell: /bin/sh linked to /bin/bash Versions of packages couchdb depends on: ii adduser 3.112 add and remove users and groups pn erlang-abi-11.b.3 <none> (no description available) pn erlang-nox <none> (no description available) ii libc6 2.11.2-2 Embedded GNU C Library: Shared lib pn libicu38 <none> (no description available) pn libmozjs1d <none> (no description available) ii lsb-base 3.2-23.1 Linux Standard Base 3.2 init scrip ii mime-support 3.48-1 MIME files 'mime.types' & 'mailcap couchdb recommends no packages. couchdb suggests no packages. _______________________________________________ Secure-testing-team mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/secure-testing-team
