FS#42246 - [ctags] CVE-2014-7204: denial of service

Attached to Project: Arch Linux
Opened by Levente Polyak (anthraxx) - Saturday, 04 October 2014, 21:16 GMT
Last edited by Dave Reisner (falconindy) - Friday, 24 October 2014, 20:18 GMT
Task Type Bug Report
Category Security
Status Closed
Assigned To Giovanni Scafora (giovanni)
Dave Reisner (falconindy)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 2
Private No


It has been reported [0] that ctags 5.8-4 is affected by a denial of service vulnerability tracked as CVE-2014-7204 [1].

Certain JavaScript files cause ctags to enter an infinite loop until it runs out of disk space, resulting in denial of service.

The problem has been fixed upstream [2] but no release is available yet.
I recommend to backport the patch like f.e. debian [3].

[0] http://seclists.org/oss-sec/2014/q3/842
[1] https://access.redhat.com/security/cve/CVE-2014-7204
[2] http://sourceforge.net/p/ctags/code/791/
[3] http://anonscm.debian.org/cgit/users/cjwatson/exuberant-ctags.git/commit/?h=wheezy&id=f3d5c529d16838ba790ab00a2dc242840eeaf70a
This task depends upon

Closed by  Dave Reisner (falconindy)
Friday, 24 October 2014, 20:18 GMT
Reason for closing:  Fixed
Additional comments about closing:  ctags-5.8-5
Comment by Levente Polyak (anthraxx) - Tuesday, 07 October 2014, 12:09 GMT
Anything we can do to help you on this issue? Do you need information or anything?
Would be cool to have an estimation when we can approximately resolve this.
cheers Levente