user/ctags: multiple vulnerabilities
| Bugzilla ID | 270 |
| Alias(es) | CVE-2014-7204 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2020-04-23 12:27:09 -0500 |
| Modified | 2020-06-22 06:11:36 -0500 |
| Status | CONFIRMED |
| Version | 1.0-RC1 |
| Hardware | Adélie Linux / All |
| Importance | --- / normal |
| Package(s) | user/ctags |
Description
We currently ship 5.8, which is missing at least this fix for a format string vulnerability as described in [1, 2]:
https://sourceforge.net/p/ctags/code/747/
There seems to be even more commits after this one in trunk on SF as late as 2014. Seems the following distros only have the commits since 2011-03-10 however:
Debian
Trisquel
Ubuntu
Fedora[3] made me aware of CVE-2014-7204[4]:
jscript.c in Exuberant Ctags 5.8 allows remote attackers to cause a
denial of service (infinite loop and CPU and disk consumption) via a
crafted JavaScript file.
Nix[5] is building off the latest SVN trunk.
openSUSE[6] has a hodgepodge of patches.
Alpine[7] switched to Universal ctags and dropped Exuberant ctags entirely.
[1] https://www.openwall.com/lists/oss-security/2020/04/23/4
[2] https://blog.jasper.la/poking-old-format-string-bugs.html
[3] https://src.fedoraproject.org/rpms/ctags/tree/master
[4] https://nvd.nist.gov/vuln/detail/CVE-2014-7204
[5] https://github.com/NixOS/nixpkgs/blob/master/pkgs/development/tools/misc/ctags/default.nix#L5
[6] https://build.opensuse.org/package/show/openSUSE:Factory/ctags
[7] https://git.alpinelinux.org/aports/commit/?id=a92e43efbc78b4f7a6b601653f07fb80e1ebd25f