oss-sec mailing list archives
Re: CVE request: CouchDB insecure library loading (Debian/Ubuntu only)
From: Tomas Hoger <thoger () redhat com>
Date: Thu, 26 Aug 2010 09:56:24 +0200
On Wed, 25 Aug 2010 14:52:52 -0400 Dan Rosenberg wrote:
I discovered that the /usr/bin/couchdb script on Debian/Ubuntu sets an insecure LD_LIBRARY_PATH environment variable, such that libraries from the current directory are loaded. If a local attacker placed a maliciously crafted shared library in a directory and an administrator were tricked into launching CouchDB from this directory, arbitrary code execution could be achieved. This vulnerability is only triggered when the /usr/bin/couchdb script is executed explicitly, since the init script (/etc/init.d/couchdb) changes the current directory before launching CouchDB. The vulnerability was introduced by Debian patch "mozjs1.9_ldlibpath.patch" on 3/24/2009.
This patch does not seem to be included in current Debian stable 0.8.0-2 and testing/unstable 0.11.0-2+b1 packages, but can be found in Ubuntu versions. Stable Debian contains icu-config.patch instead which seems to introduce the very same problem and is also used in some Fedora packages: http://pkgs.fedoraproject.org/gitweb/?p=couchdb.git;a=blob;f=couchdb.spec;h=aaef7be9;hb=f13/master#l81 -- Tomas Hoger / Red Hat Security Response Team
Current thread:
- CVE request: CouchDB insecure library loading (Debian/Ubuntu only) Dan Rosenberg (Aug 25)
- Re: CVE request: CouchDB insecure library loading (Debian/Ubuntu only) Tomas Hoger (Aug 26)
- Re: CVE request: CouchDB insecure library loading (Debian/Ubuntu only) Josh Bressers (Aug 26)