Headline
RHSA-2023:2863: Red Hat Security Advisory: ctags security update
An update for ctags is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2022-4515: A flaw was found in Exuberant Ctags in the way it handles the "-o" option. This option specifies the tag filename. A crafted tag filename specified in the command line or in the configuration file results in arbitrary command execution because the externalSortTags() in sort.c calls the system(3) function in an unsafe way.
Skip to navigation Skip to main content
Utilities
- Subscriptions
- Downloads
- Containers
- Support Cases
Infrastructure and Management
- Red Hat Enterprise Linux
- Red Hat Virtualization
- Red Hat Identity Management
- Red Hat Directory Server
- Red Hat Certificate System
- Red Hat Satellite
- Red Hat Subscription Management
- Red Hat Update Infrastructure
- Red Hat Insights
- Red Hat Ansible Automation Platform
Cloud Computing
- Red Hat OpenShift
- Red Hat CloudForms
- Red Hat OpenStack Platform
- Red Hat OpenShift Container Platform
- Red Hat OpenShift Data Science
- Red Hat OpenShift Online
- Red Hat OpenShift Dedicated
- Red Hat Advanced Cluster Security for Kubernetes
- Red Hat Advanced Cluster Management for Kubernetes
- Red Hat Quay
- Red Hat CodeReady Workspaces
- Red Hat OpenShift Service on AWS
Storage
- Red Hat Gluster Storage
- Red Hat Hyperconverged Infrastructure
- Red Hat Ceph Storage
- Red Hat OpenShift Data Foundation
Runtimes
- Red Hat Runtimes
- Red Hat JBoss Enterprise Application Platform
- Red Hat Data Grid
- Red Hat JBoss Web Server
- Red Hat Single Sign On
- Red Hat support for Spring Boot
- Red Hat build of Node.js
- Red Hat build of Thorntail
- Red Hat build of Eclipse Vert.x
- Red Hat build of OpenJDK
- Red Hat build of Quarkus
Integration and Automation
- Red Hat Process Automation
- Red Hat Process Automation Manager
- Red Hat Decision Manager
All Products
Issued:
2023-05-16
Updated:
2023-05-16
RHSA-2023:2863 - Security Advisory
- Overview
- Updated Packages
Synopsis
Moderate: ctags security update
Type/Severity
Security Advisory: Moderate
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
View affected systems
Topic
An update for ctags is now available for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
Ctags is a C programming language indexing and cross-reference tool.
Security Fix(es):
- ctags: arbitrary command execution via a tag file with a crafted filename (CVE-2022-4515)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.8 Release Notes linked from the References section.
Affected Products
- Red Hat Enterprise Linux for x86_64 8 x86_64
- Red Hat Enterprise Linux for IBM z Systems 8 s390x
- Red Hat Enterprise Linux for Power, little endian 8 ppc64le
- Red Hat Enterprise Linux for ARM 64 8 aarch64
- Red Hat CodeReady Linux Builder for x86_64 8 x86_64
- Red Hat CodeReady Linux Builder for Power, little endian 8 ppc64le
- Red Hat CodeReady Linux Builder for ARM 64 8 aarch64
- Red Hat CodeReady Linux Builder for IBM z Systems 8 s390x
Fixes
- BZ - 2153519 - CVE-2022-4515 ctags: arbitrary command execution via a tag file with a crafted filename
References
- https://access.redhat.com/security/updates/classification/#moderate
- https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.8_release_notes/index
Red Hat Enterprise Linux for x86_64 8
SRPM
ctags-5.8-23.el8.src.rpm
SHA-256: 085f1267f5c736335e9d87bf987d4357612196d141cdf79acd38655251ed3807
x86_64
ctags-5.8-23.el8.x86_64.rpm
SHA-256: a501fb0ba6a4c578ff07cc820225ee8678f1d45f8b8a938c47b572c341301f2d
ctags-debuginfo-5.8-23.el8.x86_64.rpm
SHA-256: a132eccaf3ab3dda5b6dae779e724f6d96aaed646699fff1819a7bd967b0675a
ctags-debugsource-5.8-23.el8.x86_64.rpm
SHA-256: ddfba12194cca828ae49f47bee4d6e919378df63d0ec97cf231d6ec513b25591
Red Hat Enterprise Linux for IBM z Systems 8
SRPM
ctags-5.8-23.el8.src.rpm
SHA-256: 085f1267f5c736335e9d87bf987d4357612196d141cdf79acd38655251ed3807
s390x
ctags-5.8-23.el8.s390x.rpm
SHA-256: 32cfff8a3d2b183907a50ad33ae393838a64fdae30a98a95b308cb1cdae388a3
ctags-debuginfo-5.8-23.el8.s390x.rpm
SHA-256: 9d2186068edaf2538e7eb3ae45095c736375003c86ebd9cc52019d5fbe96b619
ctags-debugsource-5.8-23.el8.s390x.rpm
SHA-256: f155d17afde00a05ca76a8bd57bc83c0e20c3d3c091470810f1855c3122ed9ef
Red Hat Enterprise Linux for Power, little endian 8
SRPM
ctags-5.8-23.el8.src.rpm
SHA-256: 085f1267f5c736335e9d87bf987d4357612196d141cdf79acd38655251ed3807
ppc64le
ctags-5.8-23.el8.ppc64le.rpm
SHA-256: e5d47d246b03ab3dbd651103f49402c9497685d1a775551c10af978301c8a911
ctags-debuginfo-5.8-23.el8.ppc64le.rpm
SHA-256: 4d1a0cc0bf11909ee253e8923d7699be3fed5f9b497ba84aafc67b168af74fc6
ctags-debugsource-5.8-23.el8.ppc64le.rpm
SHA-256: 029e5aa240a5e01c395679351c12abbc0277aad95a486e9e36def66cd92be2fa
Red Hat Enterprise Linux for ARM 64 8
SRPM
ctags-5.8-23.el8.src.rpm
SHA-256: 085f1267f5c736335e9d87bf987d4357612196d141cdf79acd38655251ed3807
aarch64
ctags-5.8-23.el8.aarch64.rpm
SHA-256: 420374f9035c146c8114208e2e97633dc4f4eab9f2742813d426b9119fa8f615
ctags-debuginfo-5.8-23.el8.aarch64.rpm
SHA-256: f252f311478d618a88206dd9bf70c74f0f262acc92aeefdde35d8433c6676823
ctags-debugsource-5.8-23.el8.aarch64.rpm
SHA-256: 244d534c41811337d0ea456c080730ff63ecae25663100b0351212c3a2a0319c
Red Hat CodeReady Linux Builder for x86_64 8
SRPM
x86_64
ctags-debuginfo-5.8-23.el8.x86_64.rpm
SHA-256: a132eccaf3ab3dda5b6dae779e724f6d96aaed646699fff1819a7bd967b0675a
ctags-debugsource-5.8-23.el8.x86_64.rpm
SHA-256: ddfba12194cca828ae49f47bee4d6e919378df63d0ec97cf231d6ec513b25591
ctags-etags-5.8-23.el8.x86_64.rpm
SHA-256: 9a379ef6288815ffdc9a557dedf70a0a1c6477ec5621aa6decb07d6692ec4a1f
Red Hat CodeReady Linux Builder for Power, little endian 8
SRPM
ppc64le
ctags-debuginfo-5.8-23.el8.ppc64le.rpm
SHA-256: 4d1a0cc0bf11909ee253e8923d7699be3fed5f9b497ba84aafc67b168af74fc6
ctags-debugsource-5.8-23.el8.ppc64le.rpm
SHA-256: 029e5aa240a5e01c395679351c12abbc0277aad95a486e9e36def66cd92be2fa
ctags-etags-5.8-23.el8.ppc64le.rpm
SHA-256: 219fb41674deeb92ac98b3584e6dbe79383f489c73f332eb63d66cd181a0f22c
Red Hat CodeReady Linux Builder for ARM 64 8
SRPM
aarch64
ctags-debuginfo-5.8-23.el8.aarch64.rpm
SHA-256: f252f311478d618a88206dd9bf70c74f0f262acc92aeefdde35d8433c6676823
ctags-debugsource-5.8-23.el8.aarch64.rpm
SHA-256: 244d534c41811337d0ea456c080730ff63ecae25663100b0351212c3a2a0319c
ctags-etags-5.8-23.el8.aarch64.rpm
SHA-256: bd190221184749277873ef0eef0c4d728f2bfdb40a8dfe2e9ff30be5d99542e7
Red Hat CodeReady Linux Builder for IBM z Systems 8
SRPM
s390x
ctags-debuginfo-5.8-23.el8.s390x.rpm
SHA-256: 9d2186068edaf2538e7eb3ae45095c736375003c86ebd9cc52019d5fbe96b619
ctags-debugsource-5.8-23.el8.s390x.rpm
SHA-256: f155d17afde00a05ca76a8bd57bc83c0e20c3d3c091470810f1855c3122ed9ef
ctags-etags-5.8-23.el8.s390x.rpm
SHA-256: 50934482edb047ca9f0b43bf9595a33ac4b79ae12ffafa7e3a486cd277c61763
The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.
Related news
Red Hat Security Advisory 2023-2863-01 - Ctags is a C programming language indexing and cross-reference tool.
Ubuntu Security Notice 5820-1 - Lorenz Hipp discovered a flaw in exuberant-ctags handling of the tag filename command-line argument. A crafted tag filename specified in the command line or in the configuration file could result in arbitrary command execution.
A flaw was found in Exuberant Ctags in the way it handles the "-o" option. This option specifies the tag filename. A crafted tag filename specified in the command line or in the configuration file results in arbitrary command execution because the externalSortTags() in sort.c calls the system(3) function in an unsafe way.