Bug 31359 - ctags new security issue CVE-2022-4515
Summary: ctags new security issue CVE-2022-4515
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2023-01-03 19:46 CET by David Walser
Modified: 2023-01-13 18:38 CET (History)
5 users (show)

See Also:
Source RPM: ctags-5.8-15.mga8.src.rpm
CVE:
Status comment:


Attachments
test file (75 bytes, text/x-csrc)
2023-01-09 11:40 CET, Herman Viaene
Details

Description David Walser 2023-01-03 19:46:28 CET
Debian-LTS has issued an advisory on December 31:
https://www.debian.org/lts/security/2022/dla-3254

The issue appears to be fixed in version 6.0.0 of apparent fork universal-ctags, which Debian has packaged.  We should probably switch Cauldron to this version.

Mageia 8 is also affected.
David Walser 2023-01-03 19:46:46 CET

Status comment: (none) => Patch available from new upstream
Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2023-01-03 20:12:52 CET
No particular packager in sight for 'ctags', so assigning this globally.

Assignee: bugsquad => pkg-bugs

Comment 2 David Walser 2023-01-03 21:13:25 CET
Gentoo has also switched to universal-ctags:
https://packages.gentoo.org/packages/dev-util/ctags
Comment 3 Nicolas Salguero 2023-01-05 15:30:14 CET
Suggested advisory:
========================

The updated package fixes a security vulnerability:

A flaw was found in Exuberant Ctags in the way it handles the "-o" option. This option specifies the tag filename. A crafted tag filename specified in the command line or in the configuration file results in arbitrary command execution because the externalSortTags() in sort.c calls the system(3) function in an unsafe way. (CVE-2022-4515)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4515
https://www.debian.org/lts/security/2022/dla-3254
========================

Updated package in core/updates_testing:
========================
ctags-5.8-15.1.mga8

from SRPM:
ctags-5.8-15.1.mga8.src.rpm

Status: NEW => ASSIGNED
Status comment: Patch available from new upstream => (none)
CC: (none) => nicolas.salguero
Source RPM: ctags-5.8-17.mga9.src.rpm => ctags-5.8-15.mga8.src.rpm
Assignee: pkg-bugs => qa-bugs
Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)

Comment 4 Herman Viaene 2023-01-09 11:39:25 CET
MGA8-64 MATE on Acer Aspire 5253
No installation issues.
Ref bug 14277 Comment 2, following wilcal's example (uploading the file soon).
Created helloworld.c and run
$ ctags -R helloworld.c
The created tag file reads
!_TAG_FILE_FORMAT	2	/extended format; --format=1 will not append ;" to lines/
!_TAG_FILE_SORTED	1	/0=unsorted, 1=sorted, 2=foldcase/
!_TAG_PROGRAM_AUTHOR	Darren Hiebert	/dhiebert@users.sourceforge.net/
!_TAG_PROGRAM_NAME	Exuberant Ctags	//
!_TAG_PROGRAM_URL	http://ctags.sourceforge.net	/official site/
!_TAG_PROGRAM_VERSION	5.8	//
main	helloworld.c	/^main()$/;"	f
If it's not the same, it's quite close, so OK, ttest succeeded.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA8-64-OK

Comment 5 Herman Viaene 2023-01-09 11:40:15 CET
Created attachment 13633 [details]
test file
Comment 6 Thomas Andrews 2023-01-10 14:21:28 CET
Validating. Advisory in Comment 3.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2023-01-11 04:36:37 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 7 Mageia Robot 2023-01-13 18:38:36 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0003.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.