Sun Mar 29 09:19:06 2015 UTC ()
SECURITY: Fix CVE-2014-7204 (DoS in JavaScript parser) in exuberant-ctags.


(bsiegert)
diff -r1.26 -r1.27 pkgsrc/devel/exctags/Makefile
diff -r1.12 -r1.13 pkgsrc/devel/exctags/distinfo
diff -r0 -r1.1 pkgsrc/devel/exctags/patches/patch-CVE-2014-7204
cvs diff -r1.26 -r1.27 pkgsrc/devel/exctags/Makefile (expand / switch to unified diff)

--- pkgsrc/devel/exctags/Makefile 2014/10/09 14:06:08 1.26
+++ pkgsrc/devel/exctags/Makefile 2015/03/29 09:19:06 1.27
@@ -1,18 +1,19 @@ @@ -1,18 +1,19 @@
1# $NetBSD: Makefile,v 1.26 2014/10/09 14:06:08 wiz Exp $ 1# $NetBSD: Makefile,v 1.27 2015/03/29 09:19:06 bsiegert Exp $
2# 2#
3 3
4DISTNAME= ctags-5.8 4DISTNAME= ctags-5.8
5PKGNAME= ex${DISTNAME} 5PKGNAME= ex${DISTNAME}
 6PKGREVISION= 1
6CATEGORIES= devel 7CATEGORIES= devel
7MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=ctags/} 8MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=ctags/}
8 9
9MAINTAINER= pkgsrc-users@NetBSD.org 10MAINTAINER= pkgsrc-users@NetBSD.org
10HOMEPAGE= http://ctags.sourceforge.net/ 11HOMEPAGE= http://ctags.sourceforge.net/
11COMMENT= Exuberant (feature-filled) tagfile generator for vi, emacs and clones 12COMMENT= Exuberant (feature-filled) tagfile generator for vi, emacs and clones
12LICENSE= gnu-gpl-v2 13LICENSE= gnu-gpl-v2
13 14
14GNU_CONFIGURE= yes 15GNU_CONFIGURE= yes
15CONFIGURE_ARGS+= --enable-macro-patterns 16CONFIGURE_ARGS+= --enable-macro-patterns
16CONFIGURE_ARGS+= --with-readlib 17CONFIGURE_ARGS+= --with-readlib
17CONFIGURE_ARGS+= --enable-custom-config=${PKG_SYSCONFDIR}/ctags.conf 18CONFIGURE_ARGS+= --enable-custom-config=${PKG_SYSCONFDIR}/ctags.conf
18 19
cvs diff -r1.12 -r1.13 pkgsrc/devel/exctags/distinfo (expand / switch to unified diff)

--- pkgsrc/devel/exctags/distinfo 2013/05/05 21:56:22 1.12
+++ pkgsrc/devel/exctags/distinfo 2015/03/29 09:19:06 1.13
@@ -1,7 +1,8 @@ @@ -1,7 +1,8 @@
1$NetBSD: distinfo,v 1.12 2013/05/05 21:56:22 rodent Exp $ 1$NetBSD: distinfo,v 1.13 2015/03/29 09:19:06 bsiegert Exp $
2 2
3SHA1 (ctags-5.8.tar.gz) = 482da1ecd182ab39bbdc09f2f02c9fba8cd20030 3SHA1 (ctags-5.8.tar.gz) = 482da1ecd182ab39bbdc09f2f02c9fba8cd20030
4RMD160 (ctags-5.8.tar.gz) = 191495869fbfa2f77a9619a4920eba26d02eface 4RMD160 (ctags-5.8.tar.gz) = 191495869fbfa2f77a9619a4920eba26d02eface
5Size (ctags-5.8.tar.gz) = 479927 bytes 5Size (ctags-5.8.tar.gz) = 479927 bytes
 6SHA1 (patch-CVE-2014-7204) = 70ae27b0b69962323cb6ec8ad89b77e6dc958cdb
6SHA1 (patch-aa) = 41dc0fdc949fc3a62409b17790002dc9d70cc9db 7SHA1 (patch-aa) = 41dc0fdc949fc3a62409b17790002dc9d70cc9db
7SHA1 (patch-ab) = 5659b06f692cc210af42e4cf73d8598cedb12086 8SHA1 (patch-ab) = 5659b06f692cc210af42e4cf73d8598cedb12086
File Added: pkgsrc/devel/exctags/patches/patch-CVE-2014-7204
$NetBSD: patch-CVE-2014-7204,v 1.1 2015/03/29 09:19:06 bsiegert Exp $

http://sourceforge.net/p/ctags/code/791/

Fix denial of service that results from attempting to run ctags
over large volumes of public source code.
--- jscript.c
+++ jscript.c
@@ -215,6 +215,7 @@
  *	 Tag generation functions
  */
 
+/*
 static void makeConstTag (tokenInfo *const token, const jsKind kind)
 {
 	if (JsKinds [kind].enabled && ! token->ignoreTag )
@@ -238,12 +239,13 @@
 
 	if (JsKinds [kind].enabled && ! token->ignoreTag )
 	{
-		/*
+		*
 		 * If a scope has been added to the token, change the token
 		 * string to include the scope when making the tag.
-		 */
+		 *
 		if ( vStringLength(token->scope) > 0 )
 		{
+			*
 			fulltag = vStringNew ();
 			vStringCopy(fulltag, token->scope);
 			vStringCatS (fulltag, ".");
@@ -251,8 +253,54 @@
 			vStringTerminate(fulltag);
 			vStringCopy(token->string, fulltag);
 			vStringDelete (fulltag);
-		}
-		makeConstTag (token, kind);
+			*
+ 			jsKind parent_kind = JSTAG_CLASS;
+ 
+ 			* 
+			 * if we're creating a function (and not a method),
+ 			 * guess we're inside another function 
+			 *
+ 			if (kind == JSTAG_FUNCTION)
+ 				parent_kind = JSTAG_FUNCTION;
+ 
+ 			e.extensionFields.scope[0] = JsKinds [parent_kind].name;
+ 			e.extensionFields.scope[1] = vStringValue (token->scope);
+		}
+		* makeConstTag (token, kind); *
+ 		makeTagEntry (&e);
+	}
+}
+*/
+
+static void makeJsTag (tokenInfo *const token, const jsKind kind)
+{
+	if (JsKinds [kind].enabled && ! token->ignoreTag )
+	{
+		const char *const name = vStringValue (token->string);
+		tagEntryInfo e;
+		initTagEntry (&e, name);
+
+		e.lineNumber   = token->lineNumber;
+		e.filePosition = token->filePosition;
+		e.kindName	   = JsKinds [kind].name;
+		e.kind		   = JsKinds [kind].letter;
+
+		if ( vStringLength(token->scope) > 0 )
+		{
+			jsKind parent_kind = JSTAG_CLASS;
+
+			/* 
+			 * If we're creating a function (and not a method),
+			 * guess we're inside another function 
+			 */
+			if (kind == JSTAG_FUNCTION)
+				parent_kind = JSTAG_FUNCTION;
+
+			e.extensionFields.scope[0] = JsKinds [parent_kind].name;
+			e.extensionFields.scope[1] = vStringValue (token->scope);
+		}
+
+		makeTagEntry (&e);
 	}
 }