oss-sec mailing list archives
Re: CVE request: exuberant-ctags: CPU/disk DoS on minified JavaScript file
From: cve-assign () mitre org
Date: Mon, 29 Sep 2014 16:01:14 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
https://bugs.debian.org/742605 was reported some time ago against the Debian package of Exuberant Ctags (http://ctags.sourceforge.net/); it's a CPU/disk denial of service that results from attempting to run ctags over large volumes of public source code.
Not affected: 5.6 Affected: 5.8 (the latest release)
Upstream fix, determined by bisection: http://sourceforge.net/p/ctags/code/791/ As far as I know this was not identified as a security problem upstream, just fixed as a normal bug in the course of development.
It seems unlikely that there's an alternate perspective in which it's not an upstream vulnerability. Untrusted .js input seems to be a common use case, and the impact is an infinite loop (or similar).
The sources.debian.net use case turns it into a DoS ... Since we'd like to issue patches for this bug as security updates, please could I have a CVE identifier for this?
Use CVE-2014-7204. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJUKboyAAoJEKllVAevmvmsWkoH/0PjJDl0EV42AF4FG71fP8Nr 6c16Ieb/JoJjZGC5idn/20+j+yczi7vmoHfV6OUchEFjGlICAv1bMBsCQf/vl35k VO6T2360SOXaxM2TV4B57INLkP+W90vDPG5ipSYNJibbP7cAeJs9xzME4frKH1Ah Bz6dAQtGBOAmBOKVcmqWnugaJxuSezAnegeGHox8OOSQUASoyY1A/syNP8oC5Gql ty9aigFS0lLq1cQdHPvHkK6Wce5iSlvlIzxCgCfsFfrDKCceH+lWJjJlalEZprtz lwexkSXHEJCe9kxeV8EyC/xykhAQUyNZz10qWX68YKakUeU4qZcG0KSDHbQjX3E= =e/jY -----END PGP SIGNATURE-----
Current thread:
- CVE request: exuberant-ctags: CPU/disk DoS on minified JavaScript file Colin Watson (Sep 27)
- Re: CVE request: exuberant-ctags: CPU/disk DoS on minified JavaScript file cve-assign (Sep 29)