Vulnerability CVE-2022-4515: Information

Description

A flaw was found in Exuberant Ctags in the way it handles the "-o" option. This option specifies the tag filename. A crafted tag filename specified in the command line or in the configuration file results in arbitrary command execution because the externalSortTags() in sort.c calls the system(3) function in an unsafe way.

Severity: HIGH (7.8) Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

URL: https://nvd.nist.gov/vuln/detail/CVE-2022-4515

Published: Dec. 20, 2022

Modified: Jan. 3, 2023

Error type identifier: CWE-78

Fixed packages

Package name	Branch	Fixed in version	Version from repository	Errata ID	Task #	State
ctags	sisyphus	5.8-alt6	5.8-alt6	ALT-PU-2023-1594-1	318241	Fixed
ctags	sisyphus_e2k	5.8-alt6	5.8-alt6	ALT-PU-2023-3136-1	-	Fixed
ctags	sisyphus_riscv64	5.8-alt6	5.8-alt6	ALT-PU-2023-3140-1	-	Fixed
ctags	c10f1	5.8-alt6	5.8-alt6	ALT-PU-2024-7062-2	345756	Fixed
ctags	c9f2	5.8-alt6	5.8-alt6	ALT-PU-2024-7014-3	345698	Fixed

References to Advisories, Solutions, and Tools

Hyperlink	Resource
https://sourceforge.net/p/ctags/code/HEAD/tree/tags/ctags-5.8/sort.c#l56	Exploit Third Party Advisory
[debian-lts-announce] 20221231 [SECURITY] [DLA 3254-1] exuberant-ctags security update	Mailing List Third Party Advisory

Affected configurations:
1. Configuration 1
  cpe:2.3:a:exuberant_ctags_project:exuberant_ctags:*:*:*:*:*:*:*:*
  
  Configuration 2
  cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

Version: v24.5.1

Vulnerability CVE-2022-4515: Information

Description

Fixed packages

References to Advisories, Solutions, and Tools

Configuration 1

Configuration 2