2023-04-08
ALT-BU-2023-3141-1
Branch sisyphus_riscv64 update bulletin.
Package ctags updated to version 5.8-alt6 for branch sisyphus_riscv64.
Closed vulnerabilities
Published: 2022-12-20
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2022-4515
A flaw was found in Exuberant Ctags in the way it handles the "-o" option. This option specifies the tag filename. A crafted tag filename specified in the command line or in the configuration file results in arbitrary command execution because the externalSortTags() in sort.c calls the system(3) function in an unsafe way.
Severity: HIGH (7.8)
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
References:
- [debian-lts-announce] 20221231 [SECURITY] [DLA 3254-1] exuberant-ctags security update
- [debian-lts-announce] 20221231 [SECURITY] [DLA 3254-1] exuberant-ctags security update
- https://sourceforge.net/p/ctags/code/HEAD/tree/tags/ctags-5.8/sort.c#l56
- https://sourceforge.net/p/ctags/code/HEAD/tree/tags/ctags-5.8/sort.c#l56