Bug 8973 - couchdb new security issues CVE-2012-5649 and CVE-2012-5650
: couchdb new security issues CVE-2012-5649 and CVE-2012-5650
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/536624/
: has_procedure MGA2-64-OK MGA2-32-OK
: validated_update
: 2317
:
  Show dependency treegraph
 
Reported: 2013-02-05 19:06 CET by David Walser
Modified: 2013-02-08 15:51 CET (History)
6 users (show)

See Also:
Source RPM: couchdb-1.2.0-6.mga3.src.rpm
CVE:


Attachments
/var/lib/couchdb/erl_crash.dump (291.10 KB, application/octet-stream)
2013-02-06 11:49 CET, claire robinson
Details

Description David Walser 2013-02-05 19:06:33 CET
Fedora has issued an advisory on January 24:
http://lists.fedoraproject.org/pipermail/package-announce/2013-February/098089.html

The issues are fixed upstream in 1.2.1.

Mageia 2 is also affected.
Comment 1 David Walser 2013-02-05 22:14:12 CET
In progress by Nicolas.

Pushed in SVN for Cauldron, awaiting freeze push.

Updated package uploaded for Mageia 2.

Updated RPMs:
couchdb-1.2.1-1.mga2
couchdb-bin-1.2.1-1.mga2

from couchdb-1.2.1-1.mga2.src.rpm
Comment 2 David Walser 2013-02-06 00:33:41 CET
Updated package uploaded for Cauldron.

Assigning to QA.

Advisory:
========================

Updated couchdb packages fix security vulnerabilities:

A security flaw was found in the way Apache CouchDB, a distributed, fault-
tolerant and schema-free document-oriented database accessible via a RESTful
HTTP/JSON API, processed certain JSON callback. A remote attacker could
provide a specially-crafted JSON callback that, when processed could lead to
arbitrary JSON code execution via Adobe Flash (CVE-2012-5649).

A DOM based cross-site scripting (XSS) flaw was found in the way browser-
based test suite of Apache CouchDB, a distributed, fault-tolerant and
schema-free document-oriented database accessible via a RESTful HTTP/JSON
API, processed certain query parameters. A remote attacker could provide a
specially-crafted web page that, when accessed could lead to arbitrary web
script or HTML execution in the context of a CouchDB user session
(CVE-2012-5650).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5649
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5650
http://lists.fedoraproject.org/pipermail/package-announce/2013-February/098089.html
========================

Updated packages in core/updates_testing:
========================
couchdb-1.2.1-1.mga2
couchdb-bin-1.2.1-1.mga2

from couchdb-1.2.1-1.mga2.src.rpm
Comment 3 claire robinson 2013-02-06 11:12:21 CET
Testing clues on bug 2196 and also http://wiki.apache.org/couchdb/CouchIn15Minutes
Comment 4 claire robinson 2013-02-06 11:13:48 CET
No PoC's so just testing it works
Comment 5 claire robinson 2013-02-06 11:48:04 CET
Testing mga2 64 first with the single instance from couchdb-bin then again with the system wide instance from couchdb.

Before
------
# urpmi couchdb-bin
# su - couchdb
-bash-4.2$ couchdb
Apache CouchDB 1.1.1 (LogLevel=info) is starting.
Apache CouchDB has started. Time to relax.
[info] [<0.32.0>] Apache CouchDB has started on http://127.0.0.1:5984/

Followed the couchin15mins link 'Hello World!'. It actually took 5 minutes :)

Killed the instance with ctrl-c and exited back to root

^C
-bash-4.2$ exit
logout
#

Repeated with couchdb

# urpmi couchdb
# service couchdb start
Starting couchdb (via systemctl):                     [  OK  ]

Accessed at http://localhost:5984/_utils/ and deleted the example database then followed couchdbin15mins again to recreate 'Hello World!'.

Stopped the service to test the updates

# service couchdb stop
Stopping couchdb (via systemctl):                     [  OK  ]

After
-----
# su - couchdb
-bash-4.2$ couchdb
{"init terminating in do_boot",{{badmatch,{error,{"no such file or directory","os_mon.app"}}},[{couch,start,0},{init,start_it,1},{init,start_em,1}]}}

Crash dump was written to: erl_crash.dump
init terminating in do_boot ()
-bash-4.2$

Crashes when started. I'll retrieve the logs from /var/lib/couchdb.

Testing couchdb..
# service couchdb start
Starting couchdb (via systemctl):                     [  OK  ]

It appears to be missing some some css when browsing to http://localhost:5984/_utils/ and it won't create a databse, so I don't think it is starting properly, despite the init script reporting it has done.

# ps aux | grep couch

Shows nothing.
Comment 6 claire robinson 2013-02-06 11:49:09 CET
Created attachment 3489 [details]
/var/lib/couchdb/erl_crash.dump
Comment 7 Nicolas Lécureuil 2013-02-06 23:11:11 CET
fixed with the new package on updates_testing.

If you can't wait please install the missing require:  erlang-os_mon
Comment 8 claire robinson 2013-02-06 23:18:04 CET
Thanks Nicolas.

This will need to be depcheck'd before it's pushed as it's likely going to be affected by bug 2317
Comment 9 David Walser 2013-02-06 23:42:56 CET
Please don't forget to fix it in Cauldron too, as the updates_testing package is now newer (1.1.mga2 vs 1.mga3).
Comment 10 David Walser 2013-02-07 01:03:27 CET
couchdb is updated in Cauldron.  Thanks Nicolas.

It was also updated again in Mageia 2 to 1.2.1-1.2.mga2.
Comment 11 Dave Hodgins 2013-02-07 04:28:00 CET
The following packages will require linking:

erlang-os_mon-R14B03-3.mga2 (Core 32bit Release)
erlang-os_mon-R14B03-3.mga2 (Core Release)
Comment 12 Dave Hodgins 2013-02-07 04:50:25 CET
Testing complete on Mageia 2 i586 and x86_64.

Could someone from the sysadmin team push the srpm
couchdb-1.2.1-1.2.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates and
link the following rpm packages from Release to Updates ...
erlang-os_mon-R14B03-3.mga2 (Core 32bit Release)
erlang-os_mon-R14B03-3.mga2 (Core Release)

Advisory: Updated couchdb packages fix security vulnerabilities:

A security flaw was found in the way Apache CouchDB, a distributed, fault-
tolerant and schema-free document-oriented database accessible via a RESTful
HTTP/JSON API, processed certain JSON callback. A remote attacker could
provide a specially-crafted JSON callback that, when processed could lead to
arbitrary JSON code execution via Adobe Flash (CVE-2012-5649).

A DOM based cross-site scripting (XSS) flaw was found in the way browser-
based test suite of Apache CouchDB, a distributed, fault-tolerant and
schema-free document-oriented database accessible via a RESTful HTTP/JSON
API, processed certain query parameters. A remote attacker could provide a
specially-crafted web page that, when accessed could lead to arbitrary web
script or HTML execution in the context of a CouchDB user session
(CVE-2012-5650).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5649
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5650
http://lists.fedoraproject.org/pipermail/package-announce/2013-February/098089.html

https://bugs.mageia.org/show_bug.cgi?id=8973
Comment 13 Thomas Backlund 2013-02-08 15:51:48 CET
Packages linked and update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0040

Note You need to log in before you can comment on or make changes to this bug.