Re: CVE request: CouchDB insecure library loading (Debian/Ubuntu only)

[Tomas Hoger <thoger () redhat com>]

On Wed, 25 Aug 2010 14:52:52 -0400 Dan Rosenberg wrote:

> I discovered that the /usr/bin/couchdb script on Debian/Ubuntu sets an
> insecure LD_LIBRARY_PATH environment variable, such that libraries
> from the current directory are loaded.  If a local attacker placed a
> maliciously crafted shared library in a directory and an administrator
> were tricked into launching CouchDB from this directory, arbitrary
> code execution could be achieved.  This vulnerability is only
> triggered when the /usr/bin/couchdb script is executed explicitly,
> since the init script (/etc/init.d/couchdb) changes the current
> directory before launching CouchDB.
>
> The vulnerability was introduced by Debian patch
> "mozjs1.9_ldlibpath.patch" on 3/24/2009.

This patch does not seem to be included in current Debian stable
0.8.0-2 and testing/unstable 0.11.0-2+b1 packages, but can be found in
Ubuntu versions.

Stable Debian contains icu-config.patch instead which seems to
introduce the very same problem and is also used in some Fedora
packages:

http://pkgs.fedoraproject.org/gitweb/?p=couchdb.git;a=blob;f=couchdb.spec;h=aaef7be9;hb=f13/master#l81

-- 
Tomas Hoger / Red Hat Security Response Team