From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <zhenya1007@gmail.com>
X-Original-To: caml-list@sympa.inria.fr
Delivered-To: caml-list@sympa.inria.fr
Received: from mail2-relais-roc.national.inria.fr (mail2-relais-roc.national.inria.fr [192.134.164.83])
	by sympa.inria.fr (Postfix) with ESMTPS id B4C798239C
	for <caml-list@sympa.inria.fr>; Wed, 31 Jan 2018 02:43:07 +0100 (CET)
Authentication-Results: mail2-smtp-roc.national.inria.fr; spf=None smtp.pra=zhenya1007@gmail.com; spf=Pass smtp.mailfrom=zhenya1007@gmail.com; spf=None smtp.helo=postmaster@mail-yw0-f176.google.com
Received-SPF: None (mail2-smtp-roc.national.inria.fr: no sender
  authenticity information available from domain of
  zhenya1007@gmail.com) identity=pra; client-ip=209.85.161.176;
  receiver=mail2-smtp-roc.national.inria.fr;
  envelope-from="zhenya1007@gmail.com";
  x-sender="zhenya1007@gmail.com";
  x-conformance=sidf_compatible
Received-SPF: Pass (mail2-smtp-roc.national.inria.fr: domain of
  zhenya1007@gmail.com designates 209.85.161.176 as permitted
  sender) identity=mailfrom; client-ip=209.85.161.176;
  receiver=mail2-smtp-roc.national.inria.fr;
  envelope-from="zhenya1007@gmail.com";
  x-sender="zhenya1007@gmail.com";
  x-conformance=sidf_compatible; x-record-type="v=spf1"
Received-SPF: None (mail2-smtp-roc.national.inria.fr: no sender
  authenticity information available from domain of
  postmaster@mail-yw0-f176.google.com) identity=helo;
  client-ip=209.85.161.176;
  receiver=mail2-smtp-roc.national.inria.fr;
  envelope-from="zhenya1007@gmail.com";
  x-sender="postmaster@mail-yw0-f176.google.com";
  x-conformance=sidf_compatible
IronPort-PHdr: =?us-ascii?q?9a23=3AlIfiqheJsEQDKbotQBiYCB+KlGMj4u6mDksu8pMi?=
 =?us-ascii?q?zoh2WeGdxcu9bR7h7PlgxGXEQZ/co6odzbaO6ua4ASQp2tWoiDg6aptCVhsI24?=
 =?us-ascii?q?09vjcLJ4q7M3D9N+PgdCcgHc5PBxdP9nC/NlVJSo6lPwWB6nK94iQPFRrhKAF7?=
 =?us-ascii?q?Ovr6GpLIj8Swyuu+54Dfbx9HiTahfL9+Ngm6oRnMvcQKnIVuLbo8xAHUqXVSYe?=
 =?us-ascii?q?RWwm1oJVOXnxni48q74YBu/SdNtf8/7sBMSar1cbg2QrxeFzQmLns65Nb3uhnZ?=
 =?us-ascii?q?TAuA/WUTX2MLmRdVGQfF7RX6XpDssivms+d2xSeXMdHqQb0yRD+v9LlgRgP2hy?=
 =?us-ascii?q?gbNj456GDXhdJ2jKJHuxKquhhzz5fJbI2JKPZye6XQds4YS2VcRMZcTyxPDI2/?=
 =?us-ascii?q?YYUSEeQOIf1VoJPhq1YUtxayGRWgCeHpxzRVhnH2x6o60+E5HA/JwgwgEMwBsH?=
 =?us-ascii?q?LUrd7oKKkSVv21w7LJzTXFc/xW2Sv955bJchAnvPqBWrNxccrPxkkpFwLKlEic?=
 =?us-ascii?q?pZD5Mz6XzekNvG2b4PBhVeKrkWIotwZxoj22y8oql4LHhZoVx0ja+SllxIs5P9?=
 =?us-ascii?q?61RU5hbdK5EZZcqjuWO5Z0T84jRWxjpTw0xaccuZGheSgH0JQnyADba/yAa4WI?=
 =?us-ascii?q?5wjsVOeVITthhHNkdq6ziw+88US9yODxV9O40FlNripCndnMsm4C2wbP5ciAT/?=
 =?us-ascii?q?tx5kah2TCR2ADP8uxIP1w4mK7BJ5MiwrM8jIcfvEXeEiPshUn7jq6bel0h+uey?=
 =?us-ascii?q?6uTnZrvmpoWbN49xkgz/M6QuldK5AeU4KAcCQnSX9fi+2bD48k35Ra9Fjvwykq?=
 =?us-ascii?q?XDrJ/aIsEbqrajAwBJyoYj9wq/DzC+3dsEh3YHKVZFdAuDj4joIFHOPOv1Dey/?=
 =?us-ascii?q?glSpiDdk3erKPrznApXXL3jMiq3tfbhn6x0U9A1m6vtW4pYcL7gAJPP1VQfVtc?=
 =?us-ascii?q?fERksyOgmwhuLmE8lV14UEWGvJDLXPY43Itlrdy/wgLu+dLLUSpTz8LfMl+/Pv?=
 =?us-ascii?q?izdti18Qe7ighMNPN1i3G/1nJwOSZn+60YRJKnsDogdrFL+is1aFSzMGIi/qB/?=
 =?us-ascii?q?tttAF+M5qvCML4fq7ohbWA2CmhGZgPPzJJD1mNFTHjcIDWAq5QOhLXGddol3k/?=
 =?us-ascii?q?bZbkU5UojEj8uwrzyr4hJe3RqHVB6MDTkeNt7uiWrikcsDx5C8PHjTOIRmBw23?=
 =?us-ascii?q?IXH3o4hf8h50N6zViH3O5zhPkKTdE=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0B6FQCNHnFahrChVdFdHAECHAEGAYQLg?=
 =?us-ascii?q?QAoCoNWgTmXWEYBB4U0hQp/hF+IcoICCod+BxkHBDQUAQEBAQEBAQEBAQESAQE?=
 =?us-ascii?q?BCAsLCCgvgjgkAYJwHQEbHgMSCQc3AiQBEQEFASKKLwEDCA2XEYNFQIwUggUFA?=
 =?us-ascii?q?RyDCwWDYgoZJw1Zgm4CBhKERYFzIoEPhyeDHQSDT4JlBYEtAQEBkiSGQYl4CAE?=
 =?us-ascii?q?BgXAKh0CMLoIbhiGLbZdTFAUggRc2gXJwUjJSgSaCYQSCMyA3jmcBAQE?=
X-IPAS-Result: =?us-ascii?q?A0B6FQCNHnFahrChVdFdHAECHAEGAYQLgQAoCoNWgTmXWEY?=
 =?us-ascii?q?BB4U0hQp/hF+IcoICCod+BxkHBDQUAQEBAQEBAQEBAQESAQEBCAsLCCgvgjgkA?=
 =?us-ascii?q?YJwHQEbHgMSCQc3AiQBEQEFASKKLwEDCA2XEYNFQIwUggUFARyDCwWDYgoZJw1?=
 =?us-ascii?q?Zgm4CBhKERYFzIoEPhyeDHQSDT4JlBYEtAQEBkiSGQYl4CAEBgXAKh0CMLoIbh?=
 =?us-ascii?q?iGLbZdTFAUggRc2gXJwUjJSgSaCYQSCMyA3jmcBAQE?=
X-IronPort-AV: E=Sophos;i="5.46,437,1511823600"; 
   d="scan'208,217";a="311360774"
Received: from mail-yw0-f176.google.com ([209.85.161.176])
  by mail2-smtp-roc.national.inria.fr with ESMTP/TLS/AES128-GCM-SHA256; 31 Jan 2018 02:43:06 +0100
Received: by mail-yw0-f176.google.com with SMTP id v196so6328038ywc.6
        for <caml-list@inria.fr>; Tue, 30 Jan 2018 17:43:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:from:date:message-id:subject:to;
        bh=M6cJLWxld8uJvHy3LuGJTU6Q5pkCwmkXl/v6MoVSb9o=;
        b=E5WNf/yeQzrj4RXDG1KKNmK0SlAwnQu3hBqzu8pjPYyc/XG7ZeL2W2+hRhNPAYvF2L
         TTKF4AQiO445D2CDFoEdaPyh/9oOfzVJ33zC382gCcyiAH7tPuZiNOVOV575voR6n8MB
         j534XMTMoPFKVuSR8nVJnJotXswruy4FDDm1pOZ7hmb6dGi3yi8HVkeODu/IrzHQycy8
         Dtrbh3EXMZZRfRfRhwGp6W/qZtrv11fO9rV7u1LQGqiLpAokglxo0JqKhitMtGTMB7ma
         iBrQCPmuFiCHD3fe+XJWQKtSZZH6vOCOoVIbcAXxvrrgFd+V8uKAZCceJZU7k+w3Zk5I
         Hsrw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
        bh=M6cJLWxld8uJvHy3LuGJTU6Q5pkCwmkXl/v6MoVSb9o=;
        b=cl0qDGv7XaT2AqaSe6b9jk4fcBI9zysEoG6zfTWxF67ZJpzXvz9nlZb0Heu14lcH+d
         Vu+bt7ZA9ppmARU69UyRHR9uT4xRzaKLoSBztZG1BU0f1vD5JY9fCoR7moM7G+5dHO3+
         V+v/ClDTYBCejpzBME+P4g3xiA7oR8mMzkYomlrN/e1uxvj7RsWBLj6TtYLPIfuh+7vy
         1C04TuIDh25Pvw4t9T6le+6d04N6ahB2ZDYgOoGN304JBnqJggbpfzsBBl56T8W+98ST
         Rw6zwPKeUIpn3rC1mUxn/OwgdoduTclhqskNn/ugWP9aDzdeNGeaJpYve6qflNtpLeFh
         npfw==
X-Gm-Message-State: AKwxytfWW3k9rEY8n0ur62nOwxc3e3ifVlA3EC0kYZXdzX1RtAJGc0FP
	jd06YZOlVkzEfwQZow7VHA4eC6XOm8bBbZwisubW5g==
X-Google-Smtp-Source: AH8x225ZXv38Qwgubt5iYspYI0M5Lm2jtVkMpEMHl0cD5m6TNd54C0o71Wx8iLTYb5862LmroFw9iSjmmZeHNPEouDg=
X-Received: by 10.37.10.3 with SMTP id 3mr11204950ybk.397.1517362984979; Tue,
 30 Jan 2018 17:43:04 -0800 (PST)
MIME-Version: 1.0
Received: by 10.37.178.138 with HTTP; Tue, 30 Jan 2018 17:43:04 -0800 (PST)
From: Evgeny Roubinchtein <zhenya1007@gmail.com>
Date: Tue, 30 Jan 2018 17:43:04 -0800
Message-ID: <CAGYXaSbWu_6j5qkuEs=M-1ycs5-3SB6OhihC8Di6dwZLDbeOQA@mail.gmail.com>
To: OCaml Mailing List <caml-list@inria.fr>
Content-Type: multipart/alternative; boundary="001a113db840b7140d05640899e5"
Subject: [Caml-list] OCaml vs CVE-2017-9779

--001a113db840b7140d05640899e5
Content-Type: text/plain; charset="UTF-8"

Dear OCaml users and developers,

My current employer ships an executable whose source code is written in
OCaml, and is trying to understand the security implications and mitigating
actions (if any) of CVE-2017-9779.   For the purposes of this discussion,
only the native code compiler (ocamlopt) is relevant.

The questions I would hope to get answers to are:

1. Which versions of the OCaml compiler produce executables which are
affected by the vulnerability/ies described in CVE-2017-9779?

2. What mitigation/s (if any) are suggested?

I will point out that my current employer and I are pretty confident that
we understand the issues described by CVE-2017-9772; the assumption we are
operating under is that there is a separate issue/issues that are different
from the issues covered in CVE-2017-9772.

If you would like to continue the discussion off-list, or would like to
encrypt further communication on this subject, or would like to see
non-disclosure agreements  signed in triplicate and delivered by bactrian
camels, please let me know what your requirements are: I will so inform my
employer and we'll try to accommodate.

Thank you in advance!

-- 
Best,
Evgeny ("Zhenya")

--001a113db840b7140d05640899e5
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div><div>Dear OCaml users and developers,<br><br></div>My=
 current employer ships an executable whose source code is written in OCaml=
, and is trying to understand the security implications and mitigating acti=
ons (if any) of <span class=3D"gmail-il">CVE</span>-2017-9779.=C2=A0=C2=A0 =
For the purposes of this discussion, only the native code compiler (ocamlop=
t) is relevant.</div><div><br></div><div>The questions I would hope to get =
answers to are:</div><div><br></div><div>1. Which versions of the OCaml com=
piler produce executables which are affected by the vulnerability/ies descr=
ibed in <span class=3D"gmail-il">CVE</span>-2017-9779?<br></div><div><br></=
div><div>2. What mitigation/s (if any) are suggested?</div><div><br></div><=
div>I will point out that my current employer and I are pretty confident th=
at we understand the issues described by <span class=3D"gmail-il">CVE</span=
>-2017-9772; the assumption we are operating under is that there is a separ=
ate issue/issues that are different from the issues covered in <span class=
=3D"gmail-il">CVE</span>-2017-9772.</div><div><br></div><div>If you would l=
ike to continue the discussion off-list, or would like to encrypt further c=
ommunication on this subject, or would like to see non-disclosure agreement=
s=C2=A0 signed in triplicate and delivered by bactrian camels, please let m=
e know what your requirements are: I will so inform my employer and we&#39;=
ll try to accommodate.</div><div><br></div><div>Thank you in advance!</div>=
<div><br></div><div>-- <br></div><div>Best,<br></div><div>Evgeny (&quot;Zhe=
nya&quot;)<br></div><div><br></div></div>

--001a113db840b7140d05640899e5--