From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Original-To: caml-list@sympa.inria.fr Delivered-To: caml-list@sympa.inria.fr Received: from mail2-relais-roc.national.inria.fr (mail2-relais-roc.national.inria.fr [192.134.164.83]) by sympa.inria.fr (Postfix) with ESMTPS id 187CB8018B for ; Fri, 23 Jun 2017 18:47:18 +0200 (CEST) Authentication-Results: mail2-smtp-roc.national.inria.fr; spf=None smtp.pra=alex.only.d@gmail.com; spf=Pass smtp.mailfrom=alex.only.d@gmail.com; spf=None smtp.helo=postmaster@mail-yw0-f179.google.com Received-SPF: None (mail2-smtp-roc.national.inria.fr: no sender authenticity information available from domain of alex.only.d@gmail.com) identity=pra; client-ip=209.85.161.179; receiver=mail2-smtp-roc.national.inria.fr; envelope-from="alex.only.d@gmail.com"; x-sender="alex.only.d@gmail.com"; x-conformance=sidf_compatible Received-SPF: Pass (mail2-smtp-roc.national.inria.fr: domain of alex.only.d@gmail.com designates 209.85.161.179 as permitted sender) identity=mailfrom; client-ip=209.85.161.179; receiver=mail2-smtp-roc.national.inria.fr; envelope-from="alex.only.d@gmail.com"; x-sender="alex.only.d@gmail.com"; x-conformance=sidf_compatible; x-record-type="v=spf1" Received-SPF: None (mail2-smtp-roc.national.inria.fr: no sender authenticity information available from domain of postmaster@mail-yw0-f179.google.com) identity=helo; client-ip=209.85.161.179; receiver=mail2-smtp-roc.national.inria.fr; envelope-from="alex.only.d@gmail.com"; x-sender="postmaster@mail-yw0-f179.google.com"; x-conformance=sidf_compatible IronPort-PHdr: =?us-ascii?q?9a23=3AxWPqTBTlw2U1eNr8mPnGJxqHldpsv+yvbD5Q0YIu?= =?us-ascii?q?jvd0So/mwa6zYRSN2/xhgRfzUJnB7Loc0qyN4v+mATRIyK3CmUhKSIZLWR4BhJ?= =?us-ascii?q?detC0bK+nBN3fGKuX3ZTcxBsVIWQwt1Xi6NU9IBJS2PAWK8TW94jEIBxrwKxd+?= =?us-ascii?q?KPjrFY7OlcS30P2594HObwlSijewZbF/IA+qoQnNq8IbnZZsJqEtxxXTv3BGYf?= =?us-ascii?q?5WxWRmJVKSmxbz+MK994N9/ipTpvws6ddOXb31cKokQ7NYCi8mM30u683wqRbD?= =?us-ascii?q?VwqP6WACXWgQjxFFHhLK7BD+Xpf2ryv6qu9w0zSUMMHqUbw5Xymp4rx1QxH0li?= =?us-ascii?q?gIKz858HnWisNuiqJbvAmhrAF7z4LNfY2ZKOZycqbbcNwdWGRBQ91RVzRfDYyg?= =?us-ascii?q?c4sBAe0BPeNCoIn8oVsFsB+yCAaoCe/qzDJDm3340rAg0+k5Ew7G0gwuEdwNvn?= =?us-ascii?q?rJstv6KKgcXPupzKnR1zjPc+9a1Sv/5YXObxsvoeuMXbV1ccfJ1UQvEx3Kj1qO?= =?us-ascii?q?po3lIjib2esNs2+B7+pnS+KklmkqpBt1ojexycYgkI7JhoQRylHE7yl23Z04Jd?= =?us-ascii?q?K9SEFhYN6kFIFcuD2dN4tzW84vRXxjtig9yr0Do5G7fS4KxYwmxx7ZcfyHcpKH?= =?us-ascii?q?7gjtVOaLOTt4i3NleK6/hxav6kes0PHzVs6x0FpSritKiNnMtncK1xDJ9seHTf?= =?us-ascii?q?5980G80jiMzwDe8v9ILVwwmKbBKJMswqQ8mocSvEjeBCP6hUf7gauQe0454Oan?= =?us-ascii?q?8f7nba/jppKEN497lAX+MqM2l8y6G+s4MwwOU3Gb+OWyyLHv5EP5TKhIg/AyiK?= =?us-ascii?q?XZv5faJcMUpq69HQBZyJos6xG6Dzu+0dQYm2cILE5ddR6Zk4TkP0vCLfP4APul?= =?us-ascii?q?nlihkSpny+rbMrDjBpjBNn3Dn63gfbZ55U5c0g0zzdVH6p1ODrEOPv3yVlX2tN?= =?us-ascii?q?zeCh84Mxa4zPv8BdVy04MRQ2OPAquDPKzOtl+I4/ojI/OQa48NpDb9N/8l6ubz?= =?us-ascii?q?gn8+nV8dfKap0oUWaX2jH/VmIkCZbmH2gtgbC2sKvww+TPbriFKYSzJTaWyyVb?= =?us-ascii?q?om5j4nEIKmEZvDRoe1jbOdxii7G5lWanlCClCNCnfoa56JW+wMaSKXOs9uiCYI?= =?us-ascii?q?VbmnS4871BGhrhX2y7R9LrmcxipNmZvm1dVzr8HUkRA9+C48W+iU1mCASSdYmW?= =?us-ascii?q?cJSDIk9KF5u010jFmZh/tWmftdQPVX6uNEQ08XOpnGyPIyX9n2VxKHedGNWRCq?= =?us-ascii?q?atqjCDA1CNk2xoldMA5GB9y+g0WbjGKRCLgPmunOWcU5?= X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0AUAQBORU1ZhrOhVdFEGhwBAQQBAQoBA?= =?us-ascii?q?RcBAQQBAQoBAYNQP4ENB4NlihmPQAFzBoIbgU6GWoQbiEKCESyFeAKDAQc/GAE?= =?us-ascii?q?BAQEBAQEBAQEBEgEBAQgLCwgoL4IzJIJCAwMjHQEbEAILAQMMBgULDwIJHQICI?= =?us-ascii?q?gERAQUBChIGExKKAQEDCA0QMqELP4pVEYEjggQFARyDCQWDXgoZJwMKVoNEAQE?= =?us-ascii?q?BAQEBBAEBAQEBAQEZAgYSeYIcgjNSgiiCcDSDJoFEgxOCYQWHcwyBU4d3jRqHM?= =?us-ascii?q?4wwgglWiGCGUIkliikUH4EVH4FCMCEjXhmEZQ8QDIFtOTYBAYoTAQEB?= X-IPAS-Result: =?us-ascii?q?A0AUAQBORU1ZhrOhVdFEGhwBAQQBAQoBARcBAQQBAQoBAYN?= =?us-ascii?q?QP4ENB4NlihmPQAFzBoIbgU6GWoQbiEKCESyFeAKDAQc/GAEBAQEBAQEBAQEBE?= =?us-ascii?q?gEBAQgLCwgoL4IzJIJCAwMjHQEbEAILAQMMBgULDwIJHQICIgERAQUBChIGExK?= =?us-ascii?q?KAQEDCA0QMqELP4pVEYEjggQFARyDCQWDXgoZJwMKVoNEAQEBAQEBBAEBAQEBA?= =?us-ascii?q?QEZAgYSeYIcgjNSgiiCcDSDJoFEgxOCYQWHcwyBU4d3jRqHM4wwgglWiGCGUIk?= =?us-ascii?q?liikUH4EVH4FCMCEjXhmEZQ8QDIFtOTYBAYoTAQEB?= X-IronPort-AV: E=Sophos;i="5.39,379,1493676000"; d="scan'208";a="280389362" Received: from mail-yw0-f179.google.com ([209.85.161.179]) by mail2-smtp-roc.national.inria.fr with ESMTP/TLS/AES128-GCM-SHA256; 23 Jun 2017 18:47:16 +0200 Received: by mail-yw0-f179.google.com with SMTP id 63so19156724ywr.0; Fri, 23 Jun 2017 09:47:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=Mus1uYwyjKq7Jr6N6h7q9uuSBQoG7eEnA0pC0w2Fxkc=; b=kuEfO3Itdq5cepS/B6UNpJHfdYEFpsHSMuLAo3YZXqwA7ybGXt1Wx1eyRKeiH8aRAQ sQpKVib7Gok/gUIvUNGOJ7PJQRJNWAKI9aFCPMM7hOWK9/0Al7LJN9rT0XENshB2wqWD fxYevQlHJJugFir+74kkkbf6WV8kfX2+WwXb3ttbCm/XltNHe/6334b14vsUtOv4lU8V m71OOQopsmJ+bAEin14X2JOfquuE7phf627rNg9vBOMNT5HJvXEIHHpYRntkatC/cLI+ aaQPX0kNLExWJoXl+ritJsd3yKjfjMR6eQQz7EBslK53Wmo9wEWI5CVUYe0jtArz4KPy owBQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=Mus1uYwyjKq7Jr6N6h7q9uuSBQoG7eEnA0pC0w2Fxkc=; b=QkjXzVeohnD7bJHwwJCFE8WMsWEaEWZEnNSgc/9xj7KHLn4XFv+NQnqPL8k/EFHKGq ENizfiuovEbzCC/mdmkXxD2zYwuy2qmv77NsRV8/dMNBY5/ywtdSs2a1QbnvazWDc4W3 w3SBiUqwrGBAkcKvydb92tyc/EfKdRMRyfq0OzRyAAgyvruMwXa2yXjWQ5+kLfAwJ7lv Aeu7TtaF1VdjsxpiTwbHYCT8Eavywb7ebrf2RsZO/El8nimb83kN4hgF9MDcJBoWYOOM +BYm8SG2s1oZ3JXfFuxO4fCV9fbMiZ4id9JpE4K/UKn3qOIZn4qnyBA9t3C/HQGM8KOQ O7NQ== X-Gm-Message-State: AKS2vOxPAq3ZupEFZ2gMfUjoXVfw7bNuGvoLXlGLhVsn+4fRhomiXoe3 8Q5gOZ5jeIPWRNZz0U75773HWMLs1g== X-Received: by 10.13.235.202 with SMTP id u193mr6416069ywe.222.1498236435374; Fri, 23 Jun 2017 09:47:15 -0700 (PDT) MIME-Version: 1.0 Received: by 10.37.58.68 with HTTP; Fri, 23 Jun 2017 09:47:15 -0700 (PDT) In-Reply-To: <21771A83-D685-4776-9CE7-883775F05977@inria.fr> References: <21771A83-D685-4776-9CE7-883775F05977@inria.fr> From: Alexey Egorov Date: Fri, 23 Jun 2017 21:47:15 +0500 Message-ID: To: Damien Doligez Cc: caml users Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Subject: Re: [Caml-list] OCaml release 4.04.2 Why the CPLUGINS feature is enabled by default AND completely undocumented? Loading code to my app based on some unknown environment variable _by_default_ already seems like a vulnerability to me. 2017-06-23 20:18 GMT+05:00 Damien Doligez : > > Dear OCaml users, > > We have the pleasure of celebrating the birthday of Alan Turing by > announcing the release of OCaml version 4.04.2. > > This minor release fixes the security issue described in > CVE-2017-9772 (included below). > > All users should eventually upgrade to 4.04.2 from 4.04.0 and 4.04.1. > Any user who produces setuid programs with OCaml should read the CVE > and upgrade immediately. > > It is available as an OPAM switch, or as a source download here: > https://caml.inria.fr/pub/distrib/ocaml-4.04/ > https://github.com/ocaml/ocaml/archive/4.04.2.tar.gz > > Happy hacking, > > -- Damien Doligez for the OCaml team. > > > OCaml 4.04.2 (23 Jun 2017): > --------------------------- > > ### Security fix: > > - PR#7557: Local privilege escalation issue with ocaml binaries. > (Damien Doligez, report by Eric Milliken, review by Xavier Leroy) > > -------------------------------------------------------------------- > > CVE-2017-9772: Privilege escalation in OCaml runtime for SUID executables > > The environment variables CAML_CPLUGINS, CAML_NATIVE_CPLUGINS, and > CAML_BYTE_CPLUGINS can be used to auto-load code into any ocamlopt-compil= ed > executable or any ocamlc-compiled executable in =E2=80=98custom runtime m= ode=E2=80=99. > This can lead to privilege escalation if the executable is marked setuid. > > Vulnerable versions: OCaml 4.04.0 and 4.04.1 > > Workarounds: > - Upgrade to OCaml 4.04.2 or higher. > or - Compile the OCaml distribution with the "-no-cplugins" configure opt= ion. > or - OPAM users can "opam update && opam switch recompile 4.04.1", as > the repository has had backported patches applied. > > Impact: This only affects binaries that have been installed on Unix-like > operating systems (including Linux and macOS) with the setuid bit set. > However, in that situation, any user who execute the program gains all > the privileges of the owner of the executable (meaning that root-owned > setuid executables provide root access). > > Fix: OCaml 4.04.2 mitigates this by modifying Sys.getenv and Unix.getenv > to raise an exception if the process has ever had elevated privileges. > The OCaml runtime has also been modified to use this function for > retrieving all of the runtime environment variables which could potential= ly > cause files to be accessed or modified. The older behaviour is available > in Sys.unsafe_getenv for applications that require strict compatibility. > > Credits: This was originally reported by Eric Milliken on the OCaml Mantis > bug tracker. https://caml.inria.fr/mantis/view.php?id=3D7557 > > References: see CVE-2017-9779 for a lesser vulnerability in older version= s. > > CVSS v2 Vector: > AV:L/AC:L/Au:S/C:C/I:C/A:N/E:F/RL:OF/RC:C/CDP:H/TD:L/CR:H/IR:H/AR:L > CWE ID: 114 > > > -- > Caml-list mailing list. Subscription management and archives: > https://sympa.inria.fr/sympa/arc/caml-list > Beginner's list: http://groups.yahoo.com/group/ocaml_beginners > Bug reports: http://caml.inria.fr/bin/caml-bugs