Bug#594412: CouchDB insecure library loading
Hi again! * Gerfried Fuchs rho...@deb.at [2010-08-30 14:40:28 CEST]: * Moritz Muehlenhoff j...@debian.org [2010-08-25 21:50:53 CEST]: Package: couchdb Severity: grave Tags: security The vulnerability was introduced by Debian patch mozjs1.9_ldlibpath.patch on 3/24/2009. I fail to find this patch neither in the lenny package nor in the squeeze package, and there was no changelog entry or upload around the mentioned time. Are you sure about these fineprints? Alright, after some chat with Moritz and other security people I better understand the issue, the patch icu-config.patch in the lenny package also has the problem, it would depend on an already set LD_LIBRARY_PATH environment variable. In the case it isn't set (which is the default) it has the insecure behavior depending on the current directory. A test for existence of the variable should be done and depending on that either get extended or explicitly set only to the variable. I though question the need of the patch - /usr/lib is searched by default anyway? What's the background of that? I didn't find any hint in the changelog - and that's one of the reasons why a comment in the patch file would be really helpful. :) Thanks! Rhonda -- https://flattr.com/thing/47066/Debian-BTS-cleaning-up -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#594412: CouchDB insecure library loading
Hi, Moritz! * Moritz Muehlenhoff j...@debian.org [2010-08-25 21:50:53 CEST]: Package: couchdb Severity: grave Tags: security The vulnerability was introduced by Debian patch mozjs1.9_ldlibpath.patch on 3/24/2009. I fail to find this patch neither in the lenny package nor in the squeeze package, and there was no changelog entry or upload around the mentioned time. Are you sure about these fineprints? Thanks in advance, Rhonda -- https://flattr.com/thing/47066/Debian-BTS-cleaning-up -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#594412: CouchDB insecure library loading
Package: couchdb Severity: grave Tags: security The following was posted to oss-security: Date: Wed, 25 Aug 2010 14:52:52 -0400 From: Dan Rosenberg dan.j.rosenb...@gmail.com Subject: [oss-security] CVE request: CouchDB insecure library loading (Debian/Ubuntu only) I discovered that the /usr/bin/couchdb script on Debian/Ubuntu sets an insecure LD_LIBRARY_PATH environment variable, such that libraries from the current directory are loaded. If a local attacker placed a maliciously crafted shared library in a directory and an administrator were tricked into launching CouchDB from this directory, arbitrary code execution could be achieved. This vulnerability is only triggered when the /usr/bin/couchdb script is executed explicitly, since the init script (/etc/init.d/couchdb) changes the current directory before launching CouchDB. The vulnerability was introduced by Debian patch mozjs1.9_ldlibpath.patch on 3/24/2009. Cheers, Moritz -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core) Locale: LANG=C, lc_ctype=de_de.iso-8859...@euro (charmap=ISO-8859-15) Shell: /bin/sh linked to /bin/bash Versions of packages couchdb depends on: ii adduser 3.112 add and remove users and groups pn erlang-abi-11.b.3 none (no description available) pn erlang-noxnone (no description available) ii libc6 2.11.2-2 Embedded GNU C Library: Shared lib pn libicu38 none (no description available) pn libmozjs1dnone (no description available) ii lsb-base 3.2-23.1 Linux Standard Base 3.2 init scrip ii mime-support 3.48-1 MIME files 'mime.types' 'mailcap couchdb recommends no packages. couchdb suggests no packages. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
