Bug 14277 - ctags new security issue CVE-2014-7204
Summary: ctags new security issue CVE-2014-7204
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/615068/
Whiteboard: MGA3TOO MGA4-32-OK MGA4-64-OK MGA3-32...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-10-13 20:14 CEST by David Walser
Modified: 2014-10-23 15:28 CEST (History)
3 users (show)

See Also:
Source RPM: ctags-5.8-6.mga3.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-10-13 20:14:03 CEST
Fedora has issued an advisory on October 1:
https://lists.fedoraproject.org/pipermail/package-announce/2014-October/140349.html

Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron.

Advisory:
========================

Updated ctags package fixes security vulnerability:

A denial of service issue was discovered in ctags 5.8. A remote attacker could
cause excessive CPU usage and disk space consumption via a crafted JavaScript
file by triggering an infinite loop (CVE-2014-7204).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7204
https://lists.fedoraproject.org/pipermail/package-announce/2014-October/140349.html
========================

Updated packages in core/updates_testing:
========================
ctags-5.8-6.1.mga3
ctags-5.8-7.1.mga4

from SRPMS:
ctags-5.8-6.1.mga3.src.rpm
ctags-5.8-7.1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2014-10-13 20:14:09 CEST

Whiteboard: (none) => MGA3TOO

Comment 1 Len Lawrence 2014-10-15 16:39:29 CEST
Testing on mga4 x86_64

ctags-5.8-7.1.mga4 from Core Updates Testing.
Not familiar with this package but managed to create a TAGS index file in my ruby directory by running "ctags -eR *" and then searched the file from within emacs.

exuberant-ctags is an application designed to compile an index of various program constructs found in a specified set of files.  There is support for a variety of languages including C, C++, Python and Ruby and programming tools such as emacs understand the format.  It proves its worth in large software projects with a complex file hierarchy.

Marking this as OK.

CC: (none) => tarazed25

Len Lawrence 2014-10-15 17:06:10 CEST

Whiteboard: MGA3TOO => MGA3TOO MGA4-64-OK

Comment 2 William Kenney 2014-10-15 17:17:46 CEST
My test procedure:

create c code file hello_world.c:

#include <stdio.h>
 
main()
{
    printf("Hello World\n");
    return 0;
}

In terminal run:

[wilcal@localhost ctags]$ ctags -R hello_world.c

Generates file "tags" which contains:

!_TAG_FILE_FORMAT	2	/extended format; --format=1 will not append ;" to lines/
!_TAG_FILE_SORTED	1	/0=unsorted, 1=sorted, 2=foldcase/
!_TAG_PROGRAM_AUTHOR	Darren Hiebert	/dhiebert@users.sourceforge.net/
!_TAG_PROGRAM_NAME	Exuberant Ctags	//
!_TAG_PROGRAM_URL	http://ctags.sourceforge.net	/official site/
!_TAG_PROGRAM_VERSION	5.8	//
main	hello_world.c	/^main()$/;"	f

CC: (none) => wilcal.int

Comment 3 William Kenney 2014-10-15 17:18:32 CEST
In VirtualBox, M4, KDE, 32-bit

Package(s) under test:
ctags

default install of ctags

[root@localhost wilcal]# urpmi ctags
Package ctags-5.8-7.mga4.i586 is already installed

Test procedure works
erase file "tags"

install ctags from updates_testing

[root@localhost wilcal]# urpmi ctags
Package ctags-5.8-7.1.mga4.i586 is already installed

Test procedure works

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
William Kenney 2014-10-15 17:18:52 CEST

Whiteboard: MGA3TOO MGA4-64-OK => MGA3TOO MGA4-32-OK MGA4-64-OK

Comment 4 William Kenney 2014-10-15 17:30:59 CEST
In VirtualBox, M3, KDE, 32-bit

Package(s) under test:
ctags

default install of ctags

[root@localhost wilcal]# urpmi ctags
Package ctags-5.8-6.mga3.i586 is already installed

Test procedure works
erase file "tags"

install ctags from updates_testing

[root@localhost wilcal]# urpmi ctags
Package ctags-5.8-6.1.mga3.i586 is already installed

Test procedure works

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64

Whiteboard: MGA3TOO MGA4-32-OK MGA4-64-OK => MGA3TOO MGA4-32-OK MGA4-64-OK MGA3-32-OK

Comment 5 William Kenney 2014-10-15 17:44:53 CEST
In VirtualBox, M3, KDE, 64-bit

Package(s) under test:
ctags

default install of ctags

[root@localhost ctags]# urpmi ctags
Package ctags-5.8-6.mga3.x86_64 is already installed

Test procedure works
erase file "tags"

install ctags from updates_testing

[root@localhost wilcal]# urpmi ctags
Package ctags-5.8-6.1.mga3.x86_64 is already installed

Test procedure works

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64

Whiteboard: MGA3TOO MGA4-32-OK MGA4-64-OK MGA3-32-OK => MGA3TOO MGA4-32-OK MGA4-64-OK MGA3-32-OK MGA3-64-OK

Comment 6 William Kenney 2014-10-15 17:46:58 CEST
For us this update works fine.
Testing complete for mga3 32-bit & 64-bit
Testing complete for mga4 32-bit & 64-bit
So without further ado I'm validating the update. Thank you Len.
Could someone from the sysadmin team push this to updates.
Thanks

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 7 Rémi Verschelde 2014-10-18 10:17:17 CEST
Advisory uploaded.

Whiteboard: MGA3TOO MGA4-32-OK MGA4-64-OK MGA3-32-OK MGA3-64-OK => MGA3TOO MGA4-32-OK MGA4-64-OK MGA3-32-OK MGA3-64-OK advisory

Comment 8 Mageia Robot 2014-10-23 15:28:32 CEST
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0415.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.