[Bug 632201] Re: CouchDB insecure library loading
Marc fixed this in the upload for 1.0.1-0ubuntu2. ** Changed in: couchdb (Ubuntu) Status: Confirmed => Fix Released ** Changed in: couchdb (Ubuntu) Assignee: James Henstridge (jamesh) => (unassigned) -- CouchDB insecure library loading https://bugs.launchpad.net/bugs/632201 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 632201] Re: CouchDB insecure library loading
** Changed in: couchdb (Ubuntu) Status: New => Confirmed ** Changed in: couchdb (Ubuntu) Assignee: (unassigned) => James Henstridge (jamesh) ** Changed in: couchdb (Ubuntu) Importance: Undecided => Medium -- CouchDB insecure library loading https://bugs.launchpad.net/bugs/632201 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 632201] Re: CouchDB insecure library loading
** Description changed: Binary package hint: couchdb - The following was posted to oss-security please notice that even though - it mentions Debian it looks like this patch only lives in Ubuntu: + The following was posted to oss-security: Date: Wed, 25 Aug 2010 14:52:52 -0400 From: Dan Rosenberg Subject: [oss-security] CVE request: CouchDB insecure library loading (Debian/Ubuntu only) I discovered that the /usr/bin/couchdb script on Debian/Ubuntu sets an insecure LD_LIBRARY_PATH environment variable, such that libraries from the current directory are loaded. If a local attacker placed a maliciously crafted shared library in a directory and an administrator were tricked into launching CouchDB from this directory, arbitrary code execution could be achieved. This vulnerability is only triggered when the /usr/bin/couchdb script is executed explicitly, since the init script (/etc/init.d/couchdb) changes the current directory before launching CouchDB. The vulnerability was introduced by Debian patch "mozjs1.9_ldlibpath.patch" on 3/24/2009. -- CouchDB insecure library loading https://bugs.launchpad.net/bugs/632201 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 632201] Re: CouchDB insecure library loading
** Visibility changed to: Public -- CouchDB insecure library loading https://bugs.launchpad.net/bugs/632201 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
