Dan Rosenberg reports: http://thread.gmane.org/gmane.comp.security.oss.general/3358 I discovered that the /usr/bin/couchdb script on Debian/Ubuntu sets an insecure LD_LIBRARY_PATH environment variable, such that libraries from the current directory are loaded. If a local attacker placed a maliciously crafted shared library in a directory and an administrator were tricked into launching CouchDB from this directory, arbitrary code execution could be achieved. This vulnerability is only triggered when the /usr/bin/couchdb script is executed explicitly, since the init script (/etc/init.d/couchdb) changes the current directory before launching CouchDB. The vulnerability was introduced by Debian patch "mozjs1.9_ldlibpath.patch" on 3/24/2009. While Fedora / EPEL packages don't seem to include mentioned Debian patch, they include different LD_LIBRARY_PATH-setting change that seems to be inspired by Debian icu-config.patch patch: http://pkgs.fedoraproject.org/gitweb/?p=couchdb.git;a=blob;f=couchdb.spec;h=aaef7be9;hb=f13/master#l81 If LD_LIBRARY_PATH is unset before running /usr/bin/couchdb, it gets set to /usr/lib{,64}: , which causes linker to search for libs relative to the current working directory, possibly allowing arbitrary code execution if run from some attacker-controlled/writeable directory (such as /tmp). I don't know what typical couchdb use case is, it may be rather unlikely to have couchdb run from arbitrary directories. I wonder why we need to change LD_LIBRARY_PATH at all. Only /usr/lib or /usr/lib64 is added there, so setting it should be redundant as those directories are in linker search path by default. If setting it is really required, something like this should work instead: LD_LIBRARY_PATH=%{_libdir}${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}
Thanks! I will provide fix very soon. (In reply to comment #0) > attacker-controlled/writeable directory (such as /tmp). I don't know what > typical couchdb use case is, it may be rather unlikely to have couchdb run from > arbitrary directories. Unfortunately running CouchDB from arbitrary directory is one of possible (and rather popular) user-cases. So yes, this needs to be fixed urgently. > I wonder why we need to change LD_LIBRARY_PATH at all. Only /usr/lib or > /usr/lib64 is added there, so setting it should be redundant as those > directories are in linker search path by default. If setting it is really > required, something like this should work instead: > LD_LIBRARY_PATH=%{_libdir}${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH} It seems that this line isn't necessary at all, so I will simply remove it.
Fixed in F13 and EPEL-5.