Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <20140929200114.8E576C504C4@smtptsrv1.mitre.org>
Date: Mon, 29 Sep 2014 16:01:14 -0400 (EDT)
From: cve-assign@...re.org
To: cjwatson@...ian.org
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE request: exuberant-ctags: CPU/disk DoS on minified JavaScript file

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> https://bugs.debian.org/742605 was reported some time ago against the
> Debian package of Exuberant Ctags (http://ctags.sourceforge.net/); it's
> a CPU/disk denial of service that results from attempting to run ctags
> over large volumes of public source code.

> Not affected: 5.6
> Affected: 5.8 (the latest release)

> Upstream fix, determined by bisection:
>   http://sourceforge.net/p/ctags/code/791/
> 
> As far as I know this was not identified as a security problem upstream,
> just fixed as a normal bug in the course of development.

It seems unlikely that there's an alternate perspective in which it's
not an upstream vulnerability. Untrusted .js input seems to be a
common use case, and the impact is an infinite loop (or similar).

> The sources.debian.net use case turns it into a DoS ... Since we'd
> like to issue patches for this bug as security updates, please could I
> have a CVE identifier for this?

Use CVE-2014-7204.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJUKboyAAoJEKllVAevmvmsWkoH/0PjJDl0EV42AF4FG71fP8Nr
6c16Ieb/JoJjZGC5idn/20+j+yczi7vmoHfV6OUchEFjGlICAv1bMBsCQf/vl35k
VO6T2360SOXaxM2TV4B57INLkP+W90vDPG5ipSYNJibbP7cAeJs9xzME4frKH1Ah
Bz6dAQtGBOAmBOKVcmqWnugaJxuSezAnegeGHox8OOSQUASoyY1A/syNP8oC5Gql
ty9aigFS0lLq1cQdHPvHkK6Wce5iSlvlIzxCgCfsFfrDKCceH+lWJjJlalEZprtz
lwexkSXHEJCe9kxeV8EyC/xykhAQUyNZz10qWX68YKakUeU4qZcG0KSDHbQjX3E=
=e/jY
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.