Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 524004 (CVE-2014-7204) - <dev-util/ctags-20190331: denial of service (CVE-2014-7204)
Summary: <dev-util/ctags-20190331: denial of service (CVE-2014-7204)
Status: RESOLVED FIXED
Alias: CVE-2014-7204
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-09-29 10:26 UTC by Agostino Sarubbo
Modified: 2019-08-02 00:11 UTC (History)
1 user (show)

See Also:
Package list:
dev-util/ctags-20190331
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-09-29 10:26:13 UTC
From ${URL} :

A denial of service issue was discovered in ctags. This could lead to excessive CPU and disk space consumption.

For local uses of ctags, this is not much of an issue as there are many ways to consume CPU and disk space.

It was reported that version 5.6 (which is in Red Hat Enterprise Linux 5) is not affected. Version 5.8 is reported to be affected.

Upstream fix:

http://sourceforge.net/p/ctags/code/791/

CVE request:

http://seclists.org/oss-sec/2014/q3/780

References:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742605


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2015-01-11 01:06:47 UTC
CVE-2014-7204 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7204):
  jscript.c in Exuberant Ctags 5.8 allows remote attackers to cause a denial
  of service (infinite loop and CPU and disk consumption) via a crafted
  JavaScript file.
Comment 2 Aaron Bauman (RETIRED) gentoo-dev 2016-03-22 07:10:59 UTC
@maintainers, can you include the attached patch or should this be considered a WONTFIX?
Comment 3 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2018-03-17 13:55:17 UTC
@maintainers could you confirm if ctags-20161028 is still affected?

Thank you
Comment 4 Larry the Git Cow gentoo-dev 2019-03-31 18:20:26 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e51c2e662a365f1b3923462d52a8151c3c03de80

commit e51c2e662a365f1b3923462d52a8151c3c03de80
Author:     Patrice Clement <monsieurp@gentoo.org>
AuthorDate: 2019-03-31 18:19:53 +0000
Commit:     Patrice Clement <monsieurp@gentoo.org>
CommitDate: 2019-03-31 18:20:13 +0000

    dev-util/ctags: version bump.
    
    Bug: https://bugs.gentoo.org/524004
    Signed-off-by: Patrice Clement <monsieurp@gentoo.org>
    Package-Manager: Portage-2.3.62, Repoman-2.3.11

 dev-util/ctags/Manifest              |  1 +
 dev-util/ctags/ctags-20190331.ebuild | 71 ++++++++++++++++++++++++++++++++++++
 2 files changed, 72 insertions(+)
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2019-04-02 01:38:22 UTC
x86 stable
Comment 6 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-04-02 09:09:26 UTC
amd64 stable
Comment 7 Rolf Eike Beer archtester 2019-04-06 10:21:27 UTC
sparc stable
Comment 8 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-04-07 21:39:41 UTC
arm stable
Comment 9 Sergei Trofimovich (RETIRED) gentoo-dev 2019-04-07 21:42:35 UTC
ia64 stable
Comment 10 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-04-07 21:49:31 UTC
s390 stable
Comment 11 Aaron Bauman (RETIRED) gentoo-dev 2019-04-09 02:35:31 UTC
arm64 stable
Comment 12 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-04-20 18:10:38 UTC
alpha stable
Comment 13 Matt Turner gentoo-dev 2019-05-02 06:39:13 UTC
hppa stable
Comment 14 Agostino Sarubbo gentoo-dev 2019-06-03 15:00:18 UTC
ppc64 stable
Comment 15 Agostino Sarubbo gentoo-dev 2019-06-04 19:01:28 UTC
ppc stable.

Maintainer(s), please cleanup.
Security, please vote.