Bug 31359

Summary: ctags new security issue CVE-2022-4515
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, davidwhodgins, herman.viaene, nicolas.salguero, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: ctags-5.8-15.mga8.src.rpm CVE:
Status comment:
Attachments: test file

Description David Walser 2023-01-03 19:46:28 CET 
Debian-LTS has issued an advisory on December 31:
https://www.debian.org/lts/security/2022/dla-3254

The issue appears to be fixed in version 6.0.0 of apparent fork universal-ctags, which Debian has packaged.  We should probably switch Cauldron to this version.

Mageia 8 is also affected.
David Walser 2023-01-03 19:46:46 CET

Status comment: (none) => Patch available from new upstream
Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2023-01-03 20:12:52 CET 
No particular packager in sight for 'ctags', so assigning this globally.

Assignee: bugsquad => pkg-bugs

Comment 2 David Walser 2023-01-03 21:13:25 CET 
Gentoo has also switched to universal-ctags:
https://packages.gentoo.org/packages/dev-util/ctags
Comment 3 Nicolas Salguero 2023-01-05 15:30:14 CET 
Suggested advisory:
========================

The updated package fixes a security vulnerability:

A flaw was found in Exuberant Ctags in the way it handles the "-o" option. This option specifies the tag filename. A crafted tag filename specified in the command line or in the configuration file results in arbitrary command execution because the externalSortTags() in sort.c calls the system(3) function in an unsafe way. (CVE-2022-4515)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4515
https://www.debian.org/lts/security/2022/dla-3254
========================

Updated package in core/updates_testing:
========================
ctags-5.8-15.1.mga8

from SRPM:
ctags-5.8-15.1.mga8.src.rpm

Status: NEW => ASSIGNED
Status comment: Patch available from new upstream => (none)
CC: (none) => nicolas.salguero
Source RPM: ctags-5.8-17.mga9.src.rpm => ctags-5.8-15.mga8.src.rpm
Assignee: pkg-bugs => qa-bugs
Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)

Comment 4 Herman Viaene 2023-01-09 11:39:25 CET 
MGA8-64 MATE on Acer Aspire 5253
No installation issues.
Ref bug 14277 Comment 2, following wilcal's example (uploading the file soon).
Created helloworld.c and run
$ ctags -R helloworld.c
The created tag file reads
!_TAG_FILE_FORMAT	2	/extended format; --format=1 will not append ;" to lines/
!_TAG_FILE_SORTED	1	/0=unsorted, 1=sorted, 2=foldcase/
!_TAG_PROGRAM_AUTHOR	Darren Hiebert	/dhiebert@users.sourceforge.net/
!_TAG_PROGRAM_NAME	Exuberant Ctags	//
!_TAG_PROGRAM_URL	http://ctags.sourceforge.net	/official site/
!_TAG_PROGRAM_VERSION	5.8	//
main	helloworld.c	/^main()$/;"	f
If it's not the same, it's quite close, so OK, ttest succeeded.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA8-64-OK

Comment 5 Herman Viaene 2023-01-09 11:40:15 CET 
Created attachment 13633 [details]
test file
Comment 6 Thomas Andrews 2023-01-10 14:21:28 CET 
Validating. Advisory in Comment 3.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2023-01-11 04:36:37 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 7 Mageia Robot 2023-01-13 18:38:36 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0003.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED