CVE-2022-4515

NameCVE-2022-4515
DescriptionA flaw was found in Exuberant Ctags in the way it handles the "-o" option. This option specifies the tag filename. A crafted tag filename specified in the command line or in the configuration file results in arbitrary command execution because the externalSortTags() in sort.c calls the system(3) function in an unsafe way.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3254-1
Debian Bugs1026995

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
exuberant-ctags (PTS)bullseye1:5.9~svn20110310-14+deb11u1fixed
bookworm1:5.9~svn20110310-18fixed
sid, trixie1:5.9~svn20110310-19fixed
universal-ctags (PTS)bullseye0+git20200824-1.1fixed
sid, trixie, bookworm5.9.20210829.0-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
exuberant-ctagssourcebuster1:5.9~svn20110310-12+deb10u1DLA-3254-1
exuberant-ctagssourcebullseye1:5.9~svn20110310-14+deb11u1
exuberant-ctagssource(unstable)1:5.9~svn20110310-181026995
universal-ctagssource(unstable)(not affected)

Notes

- universal-ctags <not-affected> (Fixed before initial upload to Debian)
https://bugzilla.redhat.com/show_bug.cgi?id=2153519
Fixed by: https://github.com/universal-ctags/ctags/commit/e00c55d7a0204dc1d0ae316141323959e1e16162
Search for package or bug name: Reporting problems