* [Caml-list] [cve-assign@mitre.org] [oss-security] Re: buffer overflow and information leak in OCaml < 4.03.0
@ 2016-04-29 16:46 Adrien Nader
0 siblings, 0 replies; only message in thread
From: Adrien Nader @ 2016-04-29 16:46 UTC (permalink / raw)
To: caml-list
[-- Attachment #1: Type: text/plain, Size: 126 bytes --]
This is probably of interest to the list.
PS: no credit goes to me, I'm merely subscribed to oss-security@
--
Adrien Nader
[-- Attachment #2: Type: message/rfc822, Size: 4024 bytes --]
From: cve-assign@mitre.org
To: cuoq@trust-in-soft.com
Cc: cve-assign@mitre.org, oss-security@lists.openwall.com
Subject: [oss-security] Re: buffer overflow and information leak in OCaml < 4.03.0
Date: Fri, 29 Apr 2016 10:49:11 -0400 (EDT)
Message-ID: <20160429144911.5DD178BC4E6@smtpvmsrv1.mitre.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
> OCaml versions 4.02.3 and earlier have a runtime bug that, on 64-bit
> platforms, causes sizes arguments to an internal memmove call to be
> sign-extended from 32 to 64-bits before being passed to the memmove
> function.
>
> This leads arguments between 2GiB and 4GiB to be interpreted as larger
> than they are (specifically, a bit below 2^64), causing a buffer
> overflow.
>
> Arguments between 4GiB and 6GiB are interpreted as 4GiB smaller than
> they should be, causing a possible information leak.
>
> This commit fixes the bug:
> https://github.com/ocaml/ocaml/commit/659615c7b100a89eafe6253e7a5b9d84d0e8df74#diff-a97df53e3ebc59bb457191b496c90762
> The function caml_bit_string is called indirectly from such functions
> as String.copy. String.copy for instance is supposed to be a "safe"
> function for which OCaml's memory safety guarantees apply.
Use CVE-2015-8869.
(We consider this a single "to be sign-extended from 32 to 64" issue
even though there are two different types of impacts. Also, the
structure of the code change ("Int_val" replaced by "Long_val") is the
same everywhere. We did not consider it worthwhile to sort through the
possible "independently encountered" aspects as mentioned, for
example, in the
https://github.com/ocaml/ocaml/commit/659615c7b100a89eafe6253e7a5b9d84d0e8df74#commitcomment-14040616
comment.)
- --
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJXI3NXAAoJEHb/MwWLVhi2RdEQAI71I2vgUNPxtIPV5muuzuT/
BGlgZLTiWI6HgmFvV7mRtNonvKockAP150f7cArfGgsG13DVViE45IYCk4WHacnW
aTfRtbPYBZ+eawApm1tWmSxXi4Idt2sSBPXxnA46vwKUZo3oDG8p0oxEanZ1O1Y6
v+zAL4vVNq+IdSnpPzwM368C/gc1KDBM0uLu7qVoV6E2qHriWXpWpEZ7MGqab5Dv
2/8ZhpdAnZDVzMSzGbKY+h1k1JjwWnIx3WmWzU65JKF3ccDtLyWy+LaRT5D63d/K
f5orQDKfJyxc9UQIa+TH4waYQZ64f1xb5haTZaQv8tJVxlwVKD0vVk/eVrlN/r1e
XXbtknwlMcWLf30hKqzOcDwAfWf2rPtUk5h6PotFVR42esLTTDg7BlIjYFilBXw0
AlVyDrZ4cBlnd3ZeeyJW2moEoErRlnYFrqdijjIBmHPokoPVAOUcfcU2saBfkFqP
suYLBcMHrpvitrr4V5yu5T2ZYZI9DtEse+z3Oe+wupCemyfoXXcGvX7Kwz0j4oIk
bFDuuKtNpo4do+2JkCwbczGwIGAyW20rBbyJqkMMGI1c3VlY/rzn8hES3ltKjVND
1WShu2c9wwyIhhYUKuacdx8RvuZinNBAlmkWdpNUI33XsVXmdRiEhjB+RGyvqv/X
a2JgvU+8pOLRMJsRX7CA
=BBAV
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2016-04-29 16:46 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-04-29 16:46 [Caml-list] [cve-assign@mitre.org] [oss-security] Re: buffer overflow and information leak in OCaml < 4.03.0 Adrien Nader
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).