Re: CVE request: exuberant-ctags: CPU/disk DoS on minified JavaScript file

[cve-assign () mitre org]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> https://bugs.debian.org/742605 was reported some time ago against the
> Debian package of Exuberant Ctags (http://ctags.sourceforge.net/); it's
> a CPU/disk denial of service that results from attempting to run ctags
> over large volumes of public source code.

> Not affected: 5.6
> Affected: 5.8 (the latest release)

> Upstream fix, determined by bisection:
>   http://sourceforge.net/p/ctags/code/791/
>
> As far as I know this was not identified as a security problem upstream,
> just fixed as a normal bug in the course of development.

It seems unlikely that there's an alternate perspective in which it's
not an upstream vulnerability. Untrusted .js input seems to be a
common use case, and the impact is an infinite loop (or similar).

> The sources.debian.net use case turns it into a DoS ... Since we'd
> like to issue patches for this bug as security updates, please could I
> have a CVE identifier for this?

Use CVE-2014-7204.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJUKboyAAoJEKllVAevmvmsWkoH/0PjJDl0EV42AF4FG71fP8Nr
6c16Ieb/JoJjZGC5idn/20+j+yczi7vmoHfV6OUchEFjGlICAv1bMBsCQf/vl35k
VO6T2360SOXaxM2TV4B57INLkP+W90vDPG5ipSYNJibbP7cAeJs9xzME4frKH1Ah
Bz6dAQtGBOAmBOKVcmqWnugaJxuSezAnegeGHox8OOSQUASoyY1A/syNP8oC5Gql
ty9aigFS0lLq1cQdHPvHkK6Wce5iSlvlIzxCgCfsFfrDKCceH+lWJjJlalEZprtz
lwexkSXHEJCe9kxeV8EyC/xykhAQUyNZz10qWX68YKakUeU4qZcG0KSDHbQjX3E=
=e/jY
-----END PGP SIGNATURE-----