Bug 8973

Summary: couchdb new security issues CVE-2012-5649 and CVE-2012-5650
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: major    
Priority: Normal CC: davidwhodgins, dmorganec, fundawang, mageia, sysadmin-bugs, tmb
Version: 2Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/536624/
Whiteboard: has_procedure MGA2-64-OK MGA2-32-OK
Source RPM: couchdb-1.2.0-6.mga3.src.rpm CVE:
Status comment:
Bug Depends on: 2317    
Bug Blocks:    
Attachments: /var/lib/couchdb/erl_crash.dump

Description David Walser 2013-02-05 19:06:33 CET 
Fedora has issued an advisory on January 24:
http://lists.fedoraproject.org/pipermail/package-announce/2013-February/098089.html

The issues are fixed upstream in 1.2.1.

Mageia 2 is also affected.
David Walser 2013-02-05 19:06:47 CET

CC: (none) => dmorganec
Whiteboard: (none) => MGA2TOO

Comment 1 David Walser 2013-02-05 22:14:12 CET 
In progress by Nicolas.

Pushed in SVN for Cauldron, awaiting freeze push.

Updated package uploaded for Mageia 2.

Updated RPMs:
couchdb-1.2.1-1.mga2
couchdb-bin-1.2.1-1.mga2

from couchdb-1.2.1-1.mga2.src.rpm

CC: (none) => fundawang
Assignee: fundawang => nicolas.lecureuil

Comment 2 David Walser 2013-02-06 00:33:41 CET 
Updated package uploaded for Cauldron.

Assigning to QA.

Advisory:
========================

Updated couchdb packages fix security vulnerabilities:

A security flaw was found in the way Apache CouchDB, a distributed, fault-
tolerant and schema-free document-oriented database accessible via a RESTful
HTTP/JSON API, processed certain JSON callback. A remote attacker could
provide a specially-crafted JSON callback that, when processed could lead to
arbitrary JSON code execution via Adobe Flash (CVE-2012-5649).

A DOM based cross-site scripting (XSS) flaw was found in the way browser-
based test suite of Apache CouchDB, a distributed, fault-tolerant and
schema-free document-oriented database accessible via a RESTful HTTP/JSON
API, processed certain query parameters. A remote attacker could provide a
specially-crafted web page that, when accessed could lead to arbitrary web
script or HTML execution in the context of a CouchDB user session
(CVE-2012-5650).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5649
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5650
http://lists.fedoraproject.org/pipermail/package-announce/2013-February/098089.html
========================

Updated packages in core/updates_testing:
========================
couchdb-1.2.1-1.mga2
couchdb-bin-1.2.1-1.mga2

from couchdb-1.2.1-1.mga2.src.rpm

CC: (none) => nicolas.lecureuil
Version: Cauldron => 2
Assignee: nicolas.lecureuil => qa-bugs
Whiteboard: MGA2TOO => (none)

Comment 3 claire robinson 2013-02-06 11:12:21 CET 
Testing clues on bug 2196 and also http://wiki.apache.org/couchdb/CouchIn15Minutes
claire robinson 2013-02-06 11:12:39 CET

Whiteboard: (none) => has_procedure

Comment 4 claire robinson 2013-02-06 11:13:48 CET 
No PoC's so just testing it works
Comment 5 claire robinson 2013-02-06 11:48:04 CET 
Testing mga2 64 first with the single instance from couchdb-bin then again with the system wide instance from couchdb.

Before
------
# urpmi couchdb-bin
# su - couchdb
-bash-4.2$ couchdb
Apache CouchDB 1.1.1 (LogLevel=info) is starting.
Apache CouchDB has started. Time to relax.
[info] [<0.32.0>] Apache CouchDB has started on http://127.0.0.1:5984/

Followed the couchin15mins link 'Hello World!'. It actually took 5 minutes :)

Killed the instance with ctrl-c and exited back to root

^C
-bash-4.2$ exit
logout
#

Repeated with couchdb

# urpmi couchdb
# service couchdb start
Starting couchdb (via systemctl):                     [  OK  ]

Accessed at http://localhost:5984/_utils/ and deleted the example database then followed couchdbin15mins again to recreate 'Hello World!'.

Stopped the service to test the updates

# service couchdb stop
Stopping couchdb (via systemctl):                     [  OK  ]

After
-----
# su - couchdb
-bash-4.2$ couchdb
{"init terminating in do_boot",{{badmatch,{error,{"no such file or directory","os_mon.app"}}},[{couch,start,0},{init,start_it,1},{init,start_em,1}]}}

Crash dump was written to: erl_crash.dump
init terminating in do_boot ()
-bash-4.2$

Crashes when started. I'll retrieve the logs from /var/lib/couchdb.

Testing couchdb..
# service couchdb start
Starting couchdb (via systemctl):                     [  OK  ]

It appears to be missing some some css when browsing to http://localhost:5984/_utils/ and it won't create a databse, so I don't think it is starting properly, despite the init script reporting it has done.

# ps aux | grep couch

Shows nothing.

Whiteboard: has_procedure => has_procedure feedback

Comment 6 claire robinson 2013-02-06 11:49:09 CET 
Created attachment 3489 [details]
/var/lib/couchdb/erl_crash.dump
Comment 7 Nicolas Lécureuil 2013-02-06 23:11:11 CET 
fixed with the new package on updates_testing.

If you can't wait please install the missing require:  erlang-os_mon
Comment 8 claire robinson 2013-02-06 23:18:04 CET 
Thanks Nicolas.

This will need to be depcheck'd before it's pushed as it's likely going to be affected by bug 2317

Whiteboard: has_procedure feedback => has_procedure

Comment 9 David Walser 2013-02-06 23:42:56 CET 
Please don't forget to fix it in Cauldron too, as the updates_testing package is now newer (1.1.mga2 vs 1.mga3).

URL: http://lwn.net/Vulnerabilities/536056/ => http://lwn.net/Vulnerabilities/536624/
Summary: couchdb new security issues CVE-2012-5649 CVE-2012-5650 => couchdb new security issues CVE-2012-5649 and CVE-2012-5650

Comment 10 David Walser 2013-02-07 01:03:27 CET 
couchdb is updated in Cauldron.  Thanks Nicolas.

It was also updated again in Mageia 2 to 1.2.1-1.2.mga2.
Comment 11 Dave Hodgins 2013-02-07 04:28:00 CET 
The following packages will require linking:

erlang-os_mon-R14B03-3.mga2 (Core 32bit Release)
erlang-os_mon-R14B03-3.mga2 (Core Release)

CC: (none) => davidwhodgins

Comment 12 Dave Hodgins 2013-02-07 04:50:25 CET 
Testing complete on Mageia 2 i586 and x86_64.

Could someone from the sysadmin team push the srpm
couchdb-1.2.1-1.2.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates and
link the following rpm packages from Release to Updates ...
erlang-os_mon-R14B03-3.mga2 (Core 32bit Release)
erlang-os_mon-R14B03-3.mga2 (Core Release)

Advisory: Updated couchdb packages fix security vulnerabilities:

A security flaw was found in the way Apache CouchDB, a distributed, fault-
tolerant and schema-free document-oriented database accessible via a RESTful
HTTP/JSON API, processed certain JSON callback. A remote attacker could
provide a specially-crafted JSON callback that, when processed could lead to
arbitrary JSON code execution via Adobe Flash (CVE-2012-5649).

A DOM based cross-site scripting (XSS) flaw was found in the way browser-
based test suite of Apache CouchDB, a distributed, fault-tolerant and
schema-free document-oriented database accessible via a RESTful HTTP/JSON
API, processed certain query parameters. A remote attacker could provide a
specially-crafted web page that, when accessed could lead to arbitrary web
script or HTML execution in the context of a CouchDB user session
(CVE-2012-5650).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5649
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5650
http://lists.fedoraproject.org/pipermail/package-announce/2013-February/098089.html

https://bugs.mageia.org/show_bug.cgi?id=8973

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: has_procedure => has_procedure MGA2-64-OK MGA2-32-OK

claire robinson 2013-02-07 10:59:54 CET

Depends on: (none) => 2317

Comment 13 Thomas Backlund 2013-02-08 15:51:48 CET 
Packages linked and update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0040

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED