Bug 899486 - (CVE-2014-7204) VUL-1: CVE-2014-7204: ctags: possible denial of service
VUL-1: CVE-2014-7204: ctags: possible denial of service
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2014-10-02 07:24 UTC by Marcus Meissner
Modified: 2020-08-04 08:23 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2014-10-02 07:24:21 UTC
via oss-sec

    https://bugs.debian.org/742605 was reported some time ago against the
    Debian package of Exuberant Ctags (http://ctags.sourceforge.net/); it's
    a CPU/disk denial of service that results from attempting to run ctags
    over large volumes of public source code.

    Not affected: 5.6
    Affected: 5.8 (the latest release)

    Upstream fix, determined by bisection:

    As far as I know this was not identified as a security problem upstream,
    just fixed as a normal bug in the course of development.

It seems unlikely that there's an alternate perspective in which it's
not an upstream vulnerability. Untrusted .js input seems to be a
common use case, and the impact is an infinite loop (or similar).

    The sources.debian.net use case turns it into a DoS ... Since we'd
    like to issue patches for this bug as security updates, please could I
    have a CVE identifier for this?

Use CVE-2014-7204.

Comment 1 SMASH SMASH 2014-10-02 08:55:16 UTC
Affected packages:

SLE-10-SP3-TERADATA: ctags
SLE-11-SP3: ctags
SLE-11-SP3-PRODUCTS: ctags
SLE-11-SP3-UPTU: ctags
SLE-12: ctags
Comment 2 Swamp Workflow Management 2014-10-02 22:00:22 UTC
bugbot adjusting priority
Comment 3 Petr Uzel 2014-10-07 07:50:51 UTC
(In reply to SMASH SMASH from comment #1)
> Affected packages:
> SLE-10-SP3-TERADATA: ctags

SLE10* is built from ctags-5.5.4 (although the package version is ctags 2006.3.7) - NOT affected.

> SLE-11-SP3: ctags
> SLE-11-SP3-PRODUCTS: ctags
> SLE-11-SP3-UPTU: ctags

All SLE11 service packs share the same sources, so I've submitted to SLE-11:Update:Test as sr#45103

> SLE-12: ctags

Submitted to SLE-12:GA as sr#45105

Also submitted to
- Factory: sr#254478
- 12.3:    sr#254479
- 13.1:    sr#254480
- 13.2 [*]:sr#254481

[*] 'osc maintained ctags' tells that 13.2 is already in maintenance mode???

Back to security team for processing.
Comment 5 Bernhard Wiedemann 2014-10-07 08:00:09 UTC
This is an autogenerated message for OBS integration:
This bug (899486) was mentioned in
https://build.opensuse.org/request/show/254479 12.3 / ctags
https://build.opensuse.org/request/show/254480 13.1 / ctags
https://build.opensuse.org/request/show/254481 13.2 / ctags.openSUSE_13.2
Comment 6 Sebastian Krahmer 2014-10-07 09:52:31 UTC
I can handle the SLE12 case, but given the low severity I doubt we really need
updates for older SLE's.
Comment 7 Swamp Workflow Management 2016-08-18 13:09:15 UTC
SUSE-SU-2016:2097-1: An update that solves one vulnerability and has one errata is now available.

Category: security (low)
Bug References: 899486,976920
CVE References: CVE-2014-7204
Sources used:
SUSE Linux Enterprise Server 12-SP1 (src):    ctags-5.8-7.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    ctags-5.8-7.1
Comment 13 Alexandros Toptsoglou 2020-08-04 08:23:55 UTC