From: Alexey Egorov <alex.only.d@gmail.com>
To: Damien Doligez <Damien.Doligez@inria.fr>
Cc: caml users <caml-list@inria.fr>
Subject: Re: [Caml-list] OCaml release 4.04.2
Date: Fri, 23 Jun 2017 21:47:15 +0500 [thread overview]
Message-ID: <CAJannG7y83-V6uYw+8Chds_kJPmo__UKQAksrRDZvo-V1X6hcQ@mail.gmail.com> (raw)
In-Reply-To: <21771A83-D685-4776-9CE7-883775F05977@inria.fr>
Why the CPLUGINS feature is enabled by default AND completely undocumented?
Loading code to my app based on some unknown environment variable
_by_default_ already seems like a vulnerability to me.
2017-06-23 20:18 GMT+05:00 Damien Doligez <Damien.Doligez@inria.fr>:
>
> Dear OCaml users,
>
> We have the pleasure of celebrating the birthday of Alan Turing by
> announcing the release of OCaml version 4.04.2.
>
> This minor release fixes the security issue described in
> CVE-2017-9772 (included below).
>
> All users should eventually upgrade to 4.04.2 from 4.04.0 and 4.04.1.
> Any user who produces setuid programs with OCaml should read the CVE
> and upgrade immediately.
>
> It is available as an OPAM switch, or as a source download here:
> https://caml.inria.fr/pub/distrib/ocaml-4.04/
> https://github.com/ocaml/ocaml/archive/4.04.2.tar.gz
>
> Happy hacking,
>
> -- Damien Doligez for the OCaml team.
>
>
> OCaml 4.04.2 (23 Jun 2017):
> ---------------------------
>
> ### Security fix:
>
> - PR#7557: Local privilege escalation issue with ocaml binaries.
> (Damien Doligez, report by Eric Milliken, review by Xavier Leroy)
>
> --------------------------------------------------------------------
>
> CVE-2017-9772: Privilege escalation in OCaml runtime for SUID executables
>
> The environment variables CAML_CPLUGINS, CAML_NATIVE_CPLUGINS, and
> CAML_BYTE_CPLUGINS can be used to auto-load code into any ocamlopt-compiled
> executable or any ocamlc-compiled executable in ‘custom runtime mode’.
> This can lead to privilege escalation if the executable is marked setuid.
>
> Vulnerable versions: OCaml 4.04.0 and 4.04.1
>
> Workarounds:
> - Upgrade to OCaml 4.04.2 or higher.
> or - Compile the OCaml distribution with the "-no-cplugins" configure option.
> or - OPAM users can "opam update && opam switch recompile 4.04.1", as
> the repository has had backported patches applied.
>
> Impact: This only affects binaries that have been installed on Unix-like
> operating systems (including Linux and macOS) with the setuid bit set.
> However, in that situation, any user who execute the program gains all
> the privileges of the owner of the executable (meaning that root-owned
> setuid executables provide root access).
>
> Fix: OCaml 4.04.2 mitigates this by modifying Sys.getenv and Unix.getenv
> to raise an exception if the process has ever had elevated privileges.
> The OCaml runtime has also been modified to use this function for
> retrieving all of the runtime environment variables which could potentially
> cause files to be accessed or modified. The older behaviour is available
> in Sys.unsafe_getenv for applications that require strict compatibility.
>
> Credits: This was originally reported by Eric Milliken on the OCaml Mantis
> bug tracker. https://caml.inria.fr/mantis/view.php?id=7557
>
> References: see CVE-2017-9779 for a lesser vulnerability in older versions.
>
> CVSS v2 Vector:
> AV:L/AC:L/Au:S/C:C/I:C/A:N/E:F/RL:OF/RC:C/CDP:H/TD:L/CR:H/IR:H/AR:L
> CWE ID: 114
>
>
> --
> Caml-list mailing list. Subscription management and archives:
> https://sympa.inria.fr/sympa/arc/caml-list
> Beginner's list: http://groups.yahoo.com/group/ocaml_beginners
> Bug reports: http://caml.inria.fr/bin/caml-bugs
next prev parent reply other threads:[~2017-06-23 16:47 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-06-23 15:18 Damien Doligez
2017-06-23 16:47 ` Alexey Egorov [this message]
2017-06-23 19:05 ` David Allsopp
2017-06-23 19:13 ` Gabriel Scherer
2017-06-23 19:53 ` octachron
2017-06-23 20:38 ` Hannes Mehnert
2017-06-23 21:18 ` Anil Madhavapeddy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAJannG7y83-V6uYw+8Chds_kJPmo__UKQAksrRDZvo-V1X6hcQ@mail.gmail.com \
--to=alex.only.d@gmail.com \
--cc=Damien.Doligez@inria.fr \
--cc=caml-list@inria.fr \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).