Re: [Caml-list] OCaml release 4.04.2

[Alexey Egorov <alex.only.d@gmail.com>]

Why the CPLUGINS feature is enabled by default AND completely undocumented?
Loading code to my app based on some unknown environment variable
_by_default_ already seems like a vulnerability to me.

2017-06-23 20:18 GMT+05:00 Damien Doligez <Damien.Doligez@inria.fr>:
>
> Dear OCaml users,
>
> We have the pleasure of celebrating the birthday of Alan Turing by
> announcing the release of OCaml version 4.04.2.
>
> This minor release fixes the security issue described in
> CVE-2017-9772 (included below).
>
> All users should eventually upgrade to 4.04.2 from 4.04.0 and 4.04.1.
> Any user who produces setuid programs with OCaml should read the CVE
> and upgrade immediately.
>
> It is available as an OPAM switch, or as a source download here:
>   https://caml.inria.fr/pub/distrib/ocaml-4.04/
>   https://github.com/ocaml/ocaml/archive/4.04.2.tar.gz
>
> Happy hacking,
>
> -- Damien Doligez for the OCaml team.
>
>
> OCaml 4.04.2 (23 Jun 2017):
> ---------------------------
>
> ### Security fix:
>
> - PR#7557: Local privilege escalation issue with ocaml binaries.
>   (Damien Doligez, report by Eric Milliken, review by Xavier Leroy)
>
> --------------------------------------------------------------------
>
> CVE-2017-9772: Privilege escalation in OCaml runtime for SUID executables
>
> The environment variables CAML_CPLUGINS, CAML_NATIVE_CPLUGINS, and
> CAML_BYTE_CPLUGINS can be used to auto-load code into any ocamlopt-compiled
> executable or any ocamlc-compiled executable in ‘custom runtime mode’.
> This can lead to privilege escalation if the executable is marked setuid.
>
> Vulnerable versions: OCaml 4.04.0 and 4.04.1
>
> Workarounds:
>    - Upgrade to OCaml 4.04.2 or higher.
> or - Compile the OCaml distribution with the "-no-cplugins" configure option.
> or - OPAM users can "opam update && opam switch recompile 4.04.1", as
>      the repository has had backported patches applied.
>
> Impact: This only affects binaries that have been installed on Unix-like
> operating systems (including Linux and macOS) with the setuid bit set.
> However, in that situation, any user who execute the program gains all
> the privileges of the owner of the executable (meaning that root-owned
> setuid executables provide root access).
>
> Fix: OCaml 4.04.2 mitigates this by modifying Sys.getenv and Unix.getenv
> to raise an exception if the process has ever had elevated privileges.
> The OCaml runtime has also been modified to use this function for
> retrieving all of the runtime environment variables which could potentially
> cause files to be accessed or modified.  The older behaviour is available
> in Sys.unsafe_getenv for applications that require strict compatibility.
>
> Credits: This was originally reported by Eric Milliken on the OCaml Mantis
> bug tracker. https://caml.inria.fr/mantis/view.php?id=7557
>
> References: see CVE-2017-9779 for a lesser vulnerability in older versions.
>
> CVSS v2 Vector:
> AV:L/AC:L/Au:S/C:C/I:C/A:N/E:F/RL:OF/RC:C/CDP:H/TD:L/CR:H/IR:H/AR:L
> CWE ID: 114
>
>
> --
> Caml-list mailing list.  Subscription management and archives:
> https://sympa.inria.fr/sympa/arc/caml-list
> Beginner's list: http://groups.yahoo.com/group/ocaml_beginners
> Bug reports: http://caml.inria.fr/bin/caml-bugs