From URL: ## CVE-2017-12635 Due to differences in CouchDB’s Erlang-based JSON parser and JavaScript-based JSON parser, it is possible to submit _users documents with duplicate keys for `roles` used for access control within the database, including the special case `_admin` role, that denotes administrative users. In combination with `CVE-2017-12636` (Remote Code Execution), this can be used to give non-admin users access to arbitrary shell commands on the server as the database system user. The JSON parser differences result in behaviour that if two `roles` keys are available in the JSON, the second one will be used for authorising the document write, but the first `roles` key is used for subsequent authorization for the newly created user. By design, users can not assign themselves roles. The vulnerability allows non-admin users to give themselves admin privileges. We addressed this issue by updating the way CouchDB parses JSON in Erlang, mimicking the JavaScript behaviour of picking the last key, if duplicates exist. This issue was discovered by `Max Justicz` (https://mastodon.mit.edu/@maxj) See also: Max’s own blog post about the issue and the motivation behind his research: https://justi.cz/security/2017/11/14/couchdb-rce-npm.html ## CVE-2017-12636 CouchDB administrative users can configure the database server via HTTP(S). Some of the configuration options include paths for operating system-level binaries that are subsequently launched by CouchDB. This allows a CouchDB admin user to execute arbitrary shell commands as the CouchDB user, including downloading and executing scripts from the public internet. Reproducible: Didn't try
Bumped 1.7.1, feel free to stabilize.
x86 stable
amd64 stable
ppc stable
All arches stable, vulnerable versions cleaned up.
GLSA request filed.
This issue was resolved and addressed in GLSA 201711-16 at https://security.gentoo.org/glsa/201711-16 by GLSA coordinator Christopher Diaz Riveros (chrisadr).
