Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 637516 (CVE-2017-12635, CVE-2017-12636)

Summary: <dev-db/couchdb-1.7.1: Multiple Vulnerabilities
Product: Gentoo Security Reporter: Francis Booth <boothf>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: djc
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://lists.apache.org/thread.html/6c405bf3f8358e6314076be9f48c89a2e0ddf00539906291ebdf0c67@%3Cdev.couchdb.apache.org%3E
Whiteboard: B1 [glsa cve]
Package list:
=dev-db/couchdb-1.7.1
 Runtime testing required: ---

Description Francis Booth 2017-11-14 18:53:01 UTC 
From URL:

## CVE-2017-12635

Due to differences in CouchDB’s Erlang-based JSON parser and JavaScript-based
JSON parser, it is possible to submit _users documents with duplicate keys for
`roles` used for access control within the database, including the special case
`_admin` role, that denotes administrative users. In combination with
`CVE-2017-12636` (Remote Code Execution), this can be used to give non-admin
users access to arbitrary shell commands on the server as the database system
user.

The JSON parser differences result in behaviour that if two `roles` keys
are available in the JSON, the second one will be used for authorising the
document write, but the first `roles` key is used for subsequent
authorization for the newly created user. By design, users can not assign
themselves roles. The vulnerability allows non-admin users to give
themselves admin privileges.

We addressed this issue by updating the way CouchDB parses JSON in
Erlang, mimicking the JavaScript behaviour of picking the last key, if
duplicates exist.

This issue was discovered by `Max Justicz` (https://mastodon.mit.edu/@maxj)

See also: Max’s own blog post about the issue and the motivation behind
his research: https://justi.cz/security/2017/11/14/couchdb-rce-npm.html

## CVE-2017-12636

CouchDB administrative users can configure the database server via HTTP(S). Some
of the configuration options include paths for operating system-level binaries
that are subsequently launched by CouchDB. This allows a CouchDB admin user to
execute arbitrary shell commands as the CouchDB user, including downloading
and executing scripts from the public internet.

Reproducible: Didn't try
Comment 1 Dirkjan Ochtman (RETIRED) gentoo-dev 2017-11-14 20:29:54 UTC 
Bumped 1.7.1, feel free to stabilize.
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2017-11-14 22:06:59 UTC 
x86 stable
Comment 3 Agostino Sarubbo gentoo-dev 2017-11-15 21:01:51 UTC 
amd64 stable
Comment 4 Sergei Trofimovich (RETIRED) gentoo-dev 2017-11-15 23:23:39 UTC 
ppc stable
Comment 5 Dirkjan Ochtman (RETIRED) gentoo-dev 2017-11-19 19:39:32 UTC 
All arches stable, vulnerable versions cleaned up.
Comment 6 Aaron Bauman (RETIRED) gentoo-dev 2017-11-19 19:52:28 UTC 
GLSA request filed.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2017-11-19 20:53:27 UTC 
This issue was resolved and addressed in
 GLSA 201711-16 at https://security.gentoo.org/glsa/201711-16
by GLSA coordinator Christopher Diaz Riveros (chrisadr).