CVE-2022-4515

NameCVE-2022-4515
DescriptionA flaw was found in Exuberant Ctags in the way it handles the "-o" option. This option specifies the tag filename. A crafted tag filename specified in the command line or in the configuration file results in arbitrary command execution because the externalSortTags() in sort.c calls the system(3) function in an unsafe way.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3254-1
Debian Bugs1026995

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
exuberant-ctags (PTS)buster1:5.9~svn20110310-12vulnerable
buster (security)1:5.9~svn20110310-12+deb10u1fixed
bullseye1:5.9~svn20110310-14vulnerable
bookworm1:5.9~svn20110310-18fixed
sid, trixie1:5.9~svn20110310-19fixed
universal-ctags (PTS)buster0+git20181215-2fixed
bullseye0+git20200824-1.1fixed
sid, trixie, bookworm5.9.20210829.0-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
exuberant-ctagssourcebuster1:5.9~svn20110310-12+deb10u1DLA-3254-1
exuberant-ctagssource(unstable)1:5.9~svn20110310-181026995
universal-ctagssource(unstable)(not affected)

Notes

[bullseye] - exuberant-ctags <no-dsa> (Minor issue)
- universal-ctags <not-affected> (Fixed before initial upload to Debian)
https://bugzilla.redhat.com/show_bug.cgi?id=2153519
Fixed by: https://github.com/universal-ctags/ctags/commit/e00c55d7a0204dc1d0ae316141323959e1e16162

Search for package or bug name: Reporting problems