From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Original-To: caml-list@sympa.inria.fr Delivered-To: caml-list@sympa.inria.fr Received: from mail2-relais-roc.national.inria.fr (mail2-relais-roc.national.inria.fr [192.134.164.83]) by sympa.inria.fr (Postfix) with ESMTPS id 747218018B for ; Fri, 23 Jun 2017 21:14:23 +0200 (CEST) Authentication-Results: mail2-smtp-roc.national.inria.fr; spf=None smtp.pra=gabriel.scherer@gmail.com; spf=Pass smtp.mailfrom=gabriel.scherer@gmail.com; spf=None smtp.helo=postmaster@mail-io0-f180.google.com Received-SPF: None (mail2-smtp-roc.national.inria.fr: no sender authenticity information available from domain of gabriel.scherer@gmail.com) identity=pra; client-ip=209.85.223.180; receiver=mail2-smtp-roc.national.inria.fr; envelope-from="gabriel.scherer@gmail.com"; x-sender="gabriel.scherer@gmail.com"; x-conformance=sidf_compatible Received-SPF: Pass (mail2-smtp-roc.national.inria.fr: domain of gabriel.scherer@gmail.com designates 209.85.223.180 as permitted sender) identity=mailfrom; client-ip=209.85.223.180; receiver=mail2-smtp-roc.national.inria.fr; envelope-from="gabriel.scherer@gmail.com"; x-sender="gabriel.scherer@gmail.com"; x-conformance=sidf_compatible; x-record-type="v=spf1" Received-SPF: None (mail2-smtp-roc.national.inria.fr: no sender authenticity information available from domain of postmaster@mail-io0-f180.google.com) identity=helo; client-ip=209.85.223.180; receiver=mail2-smtp-roc.national.inria.fr; envelope-from="gabriel.scherer@gmail.com"; x-sender="postmaster@mail-io0-f180.google.com"; x-conformance=sidf_compatible IronPort-PHdr: =?us-ascii?q?9a23=3AtO5dYBTVCvPA7e2Y7+pidRmVFtpsv+yvbD5Q0YIu?= =?us-ascii?q?jvd0So/mwa6zYxCN2/xhgRfzUJnB7Loc0qyN4v+mATRIyK3CmUhKSIZLWR4BhJ?= =?us-ascii?q?detC0bK+nBN3fGKuX3ZTcxBsVIWQwt1Xi6NU9IBJS2PAWK8TW94jEIBxrwKxd+?= =?us-ascii?q?KPjrFY7OlcS30P2594HObwlSijewZbF/IA+qoQnNq8IbnZZsJqEtxxXTv3BGYf?= =?us-ascii?q?5WxWRmJVKSmxbz+MK994N9/ipTpvws6ddOXb31cKokQ7NYCi8mM30u683wqRbD?= =?us-ascii?q?VwqP6WACXWgQjxFFHhLK7BD+Xpf2ryv6qu9w0zSUMMHqUbw5Xymp4rx1QxH0li?= =?us-ascii?q?gIKz858HnWisNuiqJbvAmhrAF7z4LNfY2ZKOZycqbbcNwdWGRBQ91RVzRfDYyg?= =?us-ascii?q?c4sBAe0BPeNCoIn8oVsFsB+yCAaoCe/qzDJDm3340rAg0+k5Ew7G0gwuEdwNvn?= =?us-ascii?q?rJstv6KKgcXPupzKnR1zjPc+9a1Sv/5YXObxsvoeuMXbV1ccfJyEcgDRjKjk+R?= =?us-ascii?q?qYP7OzOey/kDvHSb7+V+T+KglXQnoBx2rzig3MgjkZPJhoMLxVDA7yl525o6Jd?= =?us-ascii?q?2mR05hf9GkCoBdty6fN4RsQ8MiR3tktzo9yr0DoJO2ejUBxpogxx7acfOHco6I?= =?us-ascii?q?7wriVOaXOzd4hWhqdKixhxao6USgxez8VtW00FZXtSVJiMXDtncI1xDL6smIUP?= =?us-ascii?q?t9/kCm2TqVyw/T7eRELEYpnqTYM54s2qA8moYXvEjZHSL7mF/6gLGIekgq4OSk?= =?us-ascii?q?9ufqbqngq5SBLYF7kBv+Pb4rmsGnAeQ3LAwOX2+D9OS5zrLj/En5TKxLjv0xjq?= =?us-ascii?q?XVqZ7aKdkYq6KlGQNV3YEj6xGwDzeiztsUh2UILFVAeB6fjojpPU/BIOzgAPuh?= =?us-ascii?q?n1ihlC1nyvPGM7H7HJnBMHbOnK38cbt+90JQ0A8zwspe55JQBLEBOvXzWkrpud?= =?us-ascii?q?zXFBA2KBa0w+f5B9V5zI8eQn6AAq+HP6PIr1CI/PkiI+aJZIAPuTb9L+Ip6OLp?= =?us-ascii?q?jX88gVMdZ7Wm3YMLaHCkGfRrO1iWYX3ogtcAHmcFoAs/QffriV2DVD5cfGyyUL?= =?us-ascii?q?gm6jE6DoKmF4bDSZq3jLyPxiexBodWaXxeClCQDXfocJ2JVOsWZyKXJs9tizgE?= =?us-ascii?q?Vbm6S489zhyurw/7y79/LuXO4CEYtJTj1MJ05+LJjx0y+yZ0XIyh1DShRn91ki?= =?us-ascii?q?shQzst27hn6Rhx0F7G16VnmNRdGMBa/O9AWQR8PpnZmb9UEdf3Dy3IdM2IRVLu?= =?us-ascii?q?ed6mDCs8VJplzNYEeUdwH5O5hRDOxSewK7AQnr2PQpcz9/SPjDDKO89hxiOeh+?= =?us-ascii?q?EahF48T54KaDSr?= X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0BEAACkZ01ZhrTfVdFEGhoBAQEBAgEBA?= =?us-ascii?q?QEIAQEBARcBAQQBAQoBAYNQP4ENB4NlihmRYXOBToZahBuIQoIRIQuFeAKDAQc?= =?us-ascii?q?/GAEBAQEBAQEBAQEBEgEBAQgLCwgoL4IzJIJCAQEBAwEiHQEbEAILAQMMBgULA?= =?us-ascii?q?woCAgkdAgIiAREBBQEKEgYTEgiJeQEDFRAyoR8/ilURgSOCBAUBHIMJBYNfChk?= =?us-ascii?q?nAwpWg0QBAQEBAQEBAwEBAQEBAQEZAgYSeYIcg0yBYYJwNIMmgSAkgxOCYQWHc?= =?us-ascii?q?wyBU5URghaFHYwwgglWiGCGUIkliikUH4EVH4FCMCEjXhmEZQ8QDIICJDYBAYd?= =?us-ascii?q?Ugj8BAQE?= X-IPAS-Result: =?us-ascii?q?A0BEAACkZ01ZhrTfVdFEGhoBAQEBAgEBAQEIAQEBARcBAQQ?= =?us-ascii?q?BAQoBAYNQP4ENB4NlihmRYXOBToZahBuIQoIRIQuFeAKDAQc/GAEBAQEBAQEBA?= =?us-ascii?q?QEBEgEBAQgLCwgoL4IzJIJCAQEBAwEiHQEbEAILAQMMBgULAwoCAgkdAgIiARE?= =?us-ascii?q?BBQEKEgYTEgiJeQEDFRAyoR8/ilURgSOCBAUBHIMJBYNfChknAwpWg0QBAQEBA?= =?us-ascii?q?QEBAwEBAQEBAQEZAgYSeYIcg0yBYYJwNIMmgSAkgxOCYQWHcwyBU5URghaFHYw?= =?us-ascii?q?wgglWiGCGUIkliikUH4EVH4FCMCEjXhmEZQ8QDIICJDYBAYdUgj8BAQE?= X-IronPort-AV: E=Sophos;i="5.39,379,1493676000"; d="scan'208";a="280399512" Received: from mail-io0-f180.google.com ([209.85.223.180]) by mail2-smtp-roc.national.inria.fr with ESMTP/TLS/AES128-GCM-SHA256; 23 Jun 2017 21:14:22 +0200 Received: by mail-io0-f180.google.com with SMTP id h64so7862672iod.0; Fri, 23 Jun 2017 12:14:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=xewl+p14qAJ5Tsp61hueIftVvvwVSTCsWl45UZvVZ/I=; b=tUq7bl76IFiiBXMwKlyuIotUPHXxYvRsYo9YPFaaaryboGzL6c3hOly5ZSRqgYhh2i 5/fE6H6zQuEndy7YCRhckkg5JjCULScZE3sWst1ZtxN1HXtYPtd/LQCPI6RgITZajWnf epZlqPvEyscbocNijXnYlhb0IjpazRs6ughvcjbM0dP2zRg7M+9P9i25tWZIPwB3qejv PYCjgM/secweOr6AvdCTE8JZmhWsBhWPIMOSNoSVKSJkILeCWDy9lIrIRu+ncH1YPZ4e 4u3bmfPZDEakgtJCANuYZFa5kwP3GtgTppBUJs7m0BLhyhXaPtL73m+nbUVSvEHBPGl0 zw7g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=xewl+p14qAJ5Tsp61hueIftVvvwVSTCsWl45UZvVZ/I=; b=EHjlmLy0bDrRe+XFs7I/D2EpdgDGkemftZHH8xug6QXOvy/3sDBH8Z0AelnVa8n/ym oxhnJmnYaMkATGHOEBFk+80wpcs+4b7BQOqJ/icCOQuD9LRWW3ofCaJDG/Seb+cU94Qd 9pHX19L5NLzfaT8bD57IUrJ12KYYyeqmEE/81hgh5f+XNDazSMtLNIByBTQ8P2s88mRW auzO7uLn5De96RKtjmuoKL2LvCB2gR+Hiqo8I7L7919iyhQt19Jto4Jjl4rDkno2lfbl 5OREKH89cjl1GSw14mv1zStQxuFkL7P3gvZc9NJ5452gQuQAHqteJHsMcZGSIf1yNCRr I31Q== X-Gm-Message-State: AKS2vOwVOVxMl19qEbqTe1ZpwNF2+Xjsk3KDd+8GSIvtU+x6UwQCN16q iMpYg8Sx+FNOxFth/1d2OHrBNamxo8l6 X-Received: by 10.107.188.3 with SMTP id m3mr9287478iof.113.1498245260638; Fri, 23 Jun 2017 12:14:20 -0700 (PDT) MIME-Version: 1.0 Received: by 10.79.36.132 with HTTP; Fri, 23 Jun 2017 12:13:40 -0700 (PDT) In-Reply-To: References: <21771A83-D685-4776-9CE7-883775F05977@inria.fr> From: Gabriel Scherer Date: Fri, 23 Jun 2017 15:13:40 -0400 Message-ID: To: David Allsopp Cc: Alexey Egorov , Damien Doligez , caml users Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Subject: Re: [Caml-list] OCaml release 4.04.2 I agree, of course, that we should do a better job of documentation new features as they get merged and not after-the-fact. There was in fact documentation contributed after-the-fact by Florian Angeletti (with helpful reviews by Hezekiah M. Carty and Gabriel Radanne, that in generally has been doing excellent work in the past few years on improving the state of the manual and documentation. https://github.com/ocaml/ocaml/pull/1187 (I think that this change to the documentation only exists in the the trunk version for now, so without explicit backporting it would only become available in the 4.06.0 manual). On Fri, Jun 23, 2017 at 3:05 PM, David Allsopp wro= te: > Alexey Egorov wrote: > > Why the CPLUGINS feature is enabled by default AND completely undocumente= d? > > > The lack of documentation, or even a Changes entry for this feature is > extremely embarrassing, and something the dev team will be working to ens= ure > doesn't happen again. This was GPR#668: > https://github.com/ocaml/ocaml/pull/668 > > Loading code to my app based on some unknown environment variable > _by_default_ already seems like a vulnerability to me. > > > I work principally on Windows, where the ability to load code into anythi= ng > else is very much a feature, though I agree that on Unix, if you have > execute but not read permission to a binary, then this mechanism could be > exploited to dump the code, but the scope of this is much more limited. > > We are still considering whether this feature should remain a default in > 4.05.0 or 4.06.0 - note that you can disable it entirely by passing > -no-cplugins to configure. > > > David > > > 2017-06-23 20:18 GMT+05:00 Damien Doligez : > > > Dear OCaml users, > > > We have the pleasure of celebrating the birthday of Alan Turing by > > announcing the release of OCaml version 4.04.2. > > > This minor release fixes the security issue described in > > CVE-2017-9772 (included below). > > > All users should eventually upgrade to 4.04.2 from 4.04.0 and 4.04.1. > > Any user who produces setuid programs with OCaml should read the CVE > > and upgrade immediately. > > > It is available as an OPAM switch, or as a source download here: > > https://caml.inria.fr/pub/distrib/ocaml-4.04/ > > https://github.com/ocaml/ocaml/archive/4.04.2.tar.gz > > > Happy hacking, > > > -- Damien Doligez for the OCaml team. > > > > OCaml 4.04.2 (23 Jun 2017): > > --------------------------- > > > ### Security fix: > > > - PR#7557: Local privilege escalation issue with ocaml binaries. > > (Damien Doligez, report by Eric Milliken, review by Xavier Leroy) > > > -------------------------------------------------------------------- > > > CVE-2017-9772: Privilege escalation in OCaml runtime for SUID executables > > > The environment variables CAML_CPLUGINS, CAML_NATIVE_CPLUGINS, and > > CAML_BYTE_CPLUGINS can be used to auto-load code into any ocamlopt-compil= ed > > executable or any ocamlc-compiled executable in =E2=80=98custom runtime m= ode=E2=80=99. > > This can lead to privilege escalation if the executable is marked setuid. > > > Vulnerable versions: OCaml 4.04.0 and 4.04.1 > > > Workarounds: > > - Upgrade to OCaml 4.04.2 or higher. > > or - Compile the OCaml distribution with the "-no-cplugins" configure > option. > > or - OPAM users can "opam update && opam switch recompile 4.04.1", as > > the repository has had backported patches applied. > > > Impact: This only affects binaries that have been installed on Unix-like > > operating systems (including Linux and macOS) with the setuid bit set. > > However, in that situation, any user who execute the program gains all > > the privileges of the owner of the executable (meaning that root-owned > > setuid executables provide root access). > > > Fix: OCaml 4.04.2 mitigates this by modifying Sys.getenv and Unix.getenv > > to raise an exception if the process has ever had elevated privileges. > > The OCaml runtime has also been modified to use this function for > > retrieving all of the runtime environment variables which could potential= ly > > cause files to be accessed or modified. The older behaviour is available > > in Sys.unsafe_getenv for applications that require strict compatibility. > > > Credits: This was originally reported by Eric Milliken on the OCaml Mantis > > bug tracker. https://caml.inria.fr/mantis/view.php?id=3D7557 > > > References: see CVE-2017-9779 for a lesser vulnerability in older version= s. > > > CVSS v2 Vector: > > AV:L/AC:L/Au:S/C:C/I:C/A:N/E:F/RL:OF/RC:C/CDP:H/TD:L/CR:H/IR:H/AR:L > > CWE ID: 114 > > > > -- > > Caml-list mailing list. Subscription management and archives: > > https://sympa.inria.fr/sympa/arc/caml-list > > Beginner's list: http://groups.yahoo.com/group/ocaml_beginners > > Bug reports: http://caml.inria.fr/bin/caml-bugs > > > -- > Caml-list mailing list. Subscription management and archives: > https://sympa.inria.fr/sympa/arc/caml-list > Beginner's list: http://groups.yahoo.com/group/ocaml_beginners > Bug reports: http://caml.inria.fr/bin/caml-bugs