Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 29 Sep 2014 16:01:14 -0400 (EDT)
From: cve-assign@...re.org
To: cjwatson@...ian.org
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE request: exuberant-ctags: CPU/disk DoS on minified JavaScript file

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> https://bugs.debian.org/742605 was reported some time ago against the
> Debian package of Exuberant Ctags (http://ctags.sourceforge.net/); it's
> a CPU/disk denial of service that results from attempting to run ctags
> over large volumes of public source code.

> Not affected: 5.6
> Affected: 5.8 (the latest release)

> Upstream fix, determined by bisection:
>   http://sourceforge.net/p/ctags/code/791/
> 
> As far as I know this was not identified as a security problem upstream,
> just fixed as a normal bug in the course of development.

It seems unlikely that there's an alternate perspective in which it's
not an upstream vulnerability. Untrusted .js input seems to be a
common use case, and the impact is an infinite loop (or similar).

> The sources.debian.net use case turns it into a DoS ... Since we'd
> like to issue patches for this bug as security updates, please could I
> have a CVE identifier for this?

Use CVE-2014-7204.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJUKboyAAoJEKllVAevmvmsWkoH/0PjJDl0EV42AF4FG71fP8Nr
6c16Ieb/JoJjZGC5idn/20+j+yczi7vmoHfV6OUchEFjGlICAv1bMBsCQf/vl35k
VO6T2360SOXaxM2TV4B57INLkP+W90vDPG5ipSYNJibbP7cAeJs9xzME4frKH1Ah
Bz6dAQtGBOAmBOKVcmqWnugaJxuSezAnegeGHox8OOSQUASoyY1A/syNP8oC5Gql
ty9aigFS0lLq1cQdHPvHkK6Wce5iSlvlIzxCgCfsFfrDKCceH+lWJjJlalEZprtz
lwexkSXHEJCe9kxeV8EyC/xykhAQUyNZz10qWX68YKakUeU4qZcG0KSDHbQjX3E=
=e/jY
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.