452020 – (CVE-2012-5649) <dev-db/couchdb-1.2.1 multiple vulnerabilities (CVE-2012-{5649,5650})

Bug 452020 (CVE-2012-5649) - <dev-db/couchdb-1.2.1 multiple vulnerabilities (CVE-2012-{5649,5650})

Summary: <dev-db/couchdb-1.2.1 multiple vulnerabilities (CVE-2012-{5649,5650})

Status:	RESOLVED FIXED

Alias:	CVE-2012-5649

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B4 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2013-01-14 11:33 UTC by Dirkjan Ochtman (RETIRED)
Modified:	2013-08-22 10:10 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Dirkjan Ochtman (RETIRED) gentoo-dev

2013-01-14 11:33:17 UTC

couchdb-1.2.1 is in the tree, should we stabilize it quickly?

Comment 1 Sean Amoss (RETIRED) gentoo-dev

2013-01-15 19:55:01 UTC

CVE-2012-5649

JSONP arbitrary code execution with Adobe Flash

Severity: Moderate

Vendor: The Apache Software Foundation
 
Affected Versions:
JSONP is supported but disabled by default in all currently supported
releases of Apache CouchDB. Administrator access is required to enable it.
Releases up to and including 1.0.3, 1.1.1, and 1.2.0 are vulnerable, if
administrators have enabled JSONP.

Description:
A hand-crafted JSONP callback and response can be used to run
arbitrary code inside client-side browsers via Adobe Flash.

Mitigation:
Upgrade to a supported release that includes this fix, such as
CouchDB 1.0.4, 1.1.2, 1.2.1, and the future 1.3.x series, all of which
include a specific fix.

Work-Around:
Disable JSONP.

--------

CVE-2012-5650 

DOM based Cross-Site Scripting via Futon UI

Affected Versions:
Apache CouchDB releases up to and including 1.0.3, 1.1.1, and 1.2.0 
are vulnerable.

Description:
Query parameters passed into the browser-based test suite are not sanitised,
and can be used to load external resources. An attacker may execute JavaScript
code in the browser, using the context of the remote user.

Mitigation:
Upgrade to a supported release that includes this fix, such as Apache
CouchDB 1.0.4, 1.1.2, 1.2.1, and the future 1.3.x series, all of which
include a specific fix.

Work-Around:
Disable the Futon user interface completely, by adapting `local.ini` and
restarting CouchDB:

    [httpd_global_handlers]
    _utils = {couch_httpd_misc_handlers, handle_welcome_req, <<"Forbidden">>}

Or by removing the UI test suite components:

    share/www/verify_install.html
    share/www/couch_tests.html
    share/www/custom_test.html

Acknowledgement:
This vulnerability was discovered & reported to the Apache Software Foundation
by Frederik Braun https://frederik-braun.com/

--------

(In reply to comment #0)
> couchdb-1.2.1 is in the tree, should we stabilize it quickly?

Arches, please test and mark stable.

Comment 2 Agostino Sarubbo gentoo-dev

2013-01-16 12:57:38 UTC

amd64 stable

Comment 3 Agostino Sarubbo gentoo-dev

2013-01-16 15:03:05 UTC

ppc stable

Comment 4 Agostino Sarubbo gentoo-dev

2013-01-21 12:43:28 UTC

x86 stable

Comment 5 Sean Amoss (RETIRED) gentoo-dev

2013-01-21 22:37:25 UTC

Re-rating this as a B4: the description above neglected to mention that CVE-2012-5649 allows arbitrary execution of JSON code.

GLSA vote: no.

Comment 6 Sergey Popov gentoo-dev

2013-08-22 10:10:53 UTC

GLSA vote: no

Closing as noglsa