Source: exuberant-ctags Version: 1:5.9~svn20110310-17 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for exuberant-ctags. It seems to affect as well the old version (while src:unviersal-ctags was fixed before the initial upload to Debian). I guess it's to late for bookworm to try to get rid of exuberant-ctags in the archive. CVE-2022-4515[0]: | A flaw was found in Exuberant Ctags in the way it handles the "-o" | option. This option specifies the tag filename. A crafted tag filename | specified in the command line or in the configuration file results in | arbitrary command execution because the externalSortTags() in sort.c | calls the system(3) function in an unsafe way. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-4515 https://www.cve.org/CVERecord?id=CVE-2022-4515 [1] https://github.com/universal-ctags/ctags/commit/e00c55d7a0204dc1d0ae316141323959e1e16162 Regards, Salvatore