Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 637516 (CVE-2017-12635, CVE-2017-12636) - <dev-db/couchdb-1.7.1: Multiple Vulnerabilities
Summary: <dev-db/couchdb-1.7.1: Multiple Vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2017-12635, CVE-2017-12636
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://lists.apache.org/thread.html/...
Whiteboard: B1 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-11-14 18:53 UTC by Francis Booth
Modified: 2017-11-19 20:53 UTC (History)
1 user (show)

See Also:
Package list:
=dev-db/couchdb-1.7.1
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Francis Booth 2017-11-14 18:53:01 UTC
From URL:

## CVE-2017-12635

Due to differences in CouchDB’s Erlang-based JSON parser and JavaScript-based
JSON parser, it is possible to submit _users documents with duplicate keys for
`roles` used for access control within the database, including the special case
`_admin` role, that denotes administrative users. In combination with
`CVE-2017-12636` (Remote Code Execution), this can be used to give non-admin
users access to arbitrary shell commands on the server as the database system
user.

The JSON parser differences result in behaviour that if two `roles` keys
are available in the JSON, the second one will be used for authorising the
document write, but the first `roles` key is used for subsequent
authorization for the newly created user. By design, users can not assign
themselves roles. The vulnerability allows non-admin users to give
themselves admin privileges.

We addressed this issue by updating the way CouchDB parses JSON in
Erlang, mimicking the JavaScript behaviour of picking the last key, if
duplicates exist.

This issue was discovered by `Max Justicz` (https://mastodon.mit.edu/@maxj)

See also: Max’s own blog post about the issue and the motivation behind
his research: https://justi.cz/security/2017/11/14/couchdb-rce-npm.html

## CVE-2017-12636

CouchDB administrative users can configure the database server via HTTP(S). Some
of the configuration options include paths for operating system-level binaries
that are subsequently launched by CouchDB. This allows a CouchDB admin user to
execute arbitrary shell commands as the CouchDB user, including downloading
and executing scripts from the public internet.

Reproducible: Didn't try
Comment 1 Dirkjan Ochtman (RETIRED) gentoo-dev 2017-11-14 20:29:54 UTC
Bumped 1.7.1, feel free to stabilize.
Comment 2 Thomas Deutschmann gentoo-dev 2017-11-14 22:06:59 UTC
x86 stable
Comment 3 Agostino Sarubbo gentoo-dev 2017-11-15 21:01:51 UTC
amd64 stable
Comment 4 Sergei Trofimovich (RETIRED) gentoo-dev 2017-11-15 23:23:39 UTC
ppc stable
Comment 5 Dirkjan Ochtman (RETIRED) gentoo-dev 2017-11-19 19:39:32 UTC
All arches stable, vulnerable versions cleaned up.
Comment 6 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-11-19 19:52:28 UTC
GLSA request filed.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2017-11-19 20:53:27 UTC
This issue was resolved and addressed in
 GLSA 201711-16 at https://security.gentoo.org/glsa/201711-16
by GLSA coordinator Christopher Diaz Riveros (chrisadr).