[Caml-list] OCaml release 4.04.2

[Caml-list] OCaml release 4.04.2

[Damien Doligez]

Dear OCaml users,

We have the pleasure of celebrating the birthday of Alan Turing by
announcing the release of OCaml version 4.04.2.

This minor release fixes the security issue described in
CVE-2017-9772 (included below).

All users should eventually upgrade to 4.04.2 from 4.04.0 and 4.04.1.
Any user who produces setuid programs with OCaml should read the CVE
and upgrade immediately.

It is available as an OPAM switch, or as a source download here:
  https://caml.inria.fr/pub/distrib/ocaml-4.04/
  https://github.com/ocaml/ocaml/archive/4.04.2.tar.gz

Happy hacking,

-- Damien Doligez for the OCaml team.


OCaml 4.04.2 (23 Jun 2017):
---------------------------

### Security fix:

- PR#7557: Local privilege escalation issue with ocaml binaries.
  (Damien Doligez, report by Eric Milliken, review by Xavier Leroy)

--------------------------------------------------------------------

CVE-2017-9772: Privilege escalation in OCaml runtime for SUID executables

The environment variables CAML_CPLUGINS, CAML_NATIVE_CPLUGINS, and
CAML_BYTE_CPLUGINS can be used to auto-load code into any ocamlopt-compiled
executable or any ocamlc-compiled executable in ‘custom runtime mode’.
This can lead to privilege escalation if the executable is marked setuid.

Vulnerable versions: OCaml 4.04.0 and 4.04.1

Workarounds:
   - Upgrade to OCaml 4.04.2 or higher.
or - Compile the OCaml distribution with the "-no-cplugins" configure option.
or - OPAM users can "opam update && opam switch recompile 4.04.1", as
     the repository has had backported patches applied.

Impact: This only affects binaries that have been installed on Unix-like
operating systems (including Linux and macOS) with the setuid bit set.
However, in that situation, any user who execute the program gains all
the privileges of the owner of the executable (meaning that root-owned
setuid executables provide root access).

Fix: OCaml 4.04.2 mitigates this by modifying Sys.getenv and Unix.getenv
to raise an exception if the process has ever had elevated privileges.
The OCaml runtime has also been modified to use this function for
retrieving all of the runtime environment variables which could potentially
cause files to be accessed or modified.  The older behaviour is available
in Sys.unsafe_getenv for applications that require strict compatibility.

Credits: This was originally reported by Eric Milliken on the OCaml Mantis
bug tracker. https://caml.inria.fr/mantis/view.php?id=7557

References: see CVE-2017-9779 for a lesser vulnerability in older versions.

CVSS v2 Vector:
AV:L/AC:L/Au:S/C:C/I:C/A:N/E:F/RL:OF/RC:C/CDP:H/TD:L/CR:H/IR:H/AR:L
CWE ID: 114

Re: [Caml-list] OCaml release 4.04.2

[Alexey Egorov]

Why the CPLUGINS feature is enabled by default AND completely undocumented?
Loading code to my app based on some unknown environment variable
_by_default_ already seems like a vulnerability to me.

2017-06-23 20:18 GMT+05:00 Damien Doligez <Damien.Doligez@inria.fr>:
>
> Dear OCaml users,
>
> We have the pleasure of celebrating the birthday of Alan Turing by
> announcing the release of OCaml version 4.04.2.
>
> This minor release fixes the security issue described in
> CVE-2017-9772 (included below).
>
> All users should eventually upgrade to 4.04.2 from 4.04.0 and 4.04.1.
> Any user who produces setuid programs with OCaml should read the CVE
> and upgrade immediately.
>
> It is available as an OPAM switch, or as a source download here:
>   https://caml.inria.fr/pub/distrib/ocaml-4.04/
>   https://github.com/ocaml/ocaml/archive/4.04.2.tar.gz
>
> Happy hacking,
>
> -- Damien Doligez for the OCaml team.
>
>
> OCaml 4.04.2 (23 Jun 2017):
> ---------------------------
>
> ### Security fix:
>
> - PR#7557: Local privilege escalation issue with ocaml binaries.
>   (Damien Doligez, report by Eric Milliken, review by Xavier Leroy)
>
> --------------------------------------------------------------------
>
> CVE-2017-9772: Privilege escalation in OCaml runtime for SUID executables
>
> The environment variables CAML_CPLUGINS, CAML_NATIVE_CPLUGINS, and
> CAML_BYTE_CPLUGINS can be used to auto-load code into any ocamlopt-compiled
> executable or any ocamlc-compiled executable in ‘custom runtime mode’.
> This can lead to privilege escalation if the executable is marked setuid.
>
> Vulnerable versions: OCaml 4.04.0 and 4.04.1
>
> Workarounds:
>    - Upgrade to OCaml 4.04.2 or higher.
> or - Compile the OCaml distribution with the "-no-cplugins" configure option.
> or - OPAM users can "opam update && opam switch recompile 4.04.1", as
>      the repository has had backported patches applied.
>
> Impact: This only affects binaries that have been installed on Unix-like
> operating systems (including Linux and macOS) with the setuid bit set.
> However, in that situation, any user who execute the program gains all
> the privileges of the owner of the executable (meaning that root-owned
> setuid executables provide root access).
>
> Fix: OCaml 4.04.2 mitigates this by modifying Sys.getenv and Unix.getenv
> to raise an exception if the process has ever had elevated privileges.
> The OCaml runtime has also been modified to use this function for
> retrieving all of the runtime environment variables which could potentially
> cause files to be accessed or modified.  The older behaviour is available
> in Sys.unsafe_getenv for applications that require strict compatibility.
>
> Credits: This was originally reported by Eric Milliken on the OCaml Mantis
> bug tracker. https://caml.inria.fr/mantis/view.php?id=7557
>
> References: see CVE-2017-9779 for a lesser vulnerability in older versions.
>
> CVSS v2 Vector:
> AV:L/AC:L/Au:S/C:C/I:C/A:N/E:F/RL:OF/RC:C/CDP:H/TD:L/CR:H/IR:H/AR:L
> CWE ID: 114
>
>
> --
> Caml-list mailing list.  Subscription management and archives:
> https://sympa.inria.fr/sympa/arc/caml-list
> Beginner's list: http://groups.yahoo.com/group/ocaml_beginners
> Bug reports: http://caml.inria.fr/bin/caml-bugs

Re: [Caml-list] OCaml release 4.04.2

[David Allsopp]

[-- Attachment #1: Type: text/plain, Size: 4195 bytes --]

Alexey Egorov wrote:

Why the CPLUGINS feature is enabled by default AND completely undocumented?

The lack of documentation, or even a Changes entry for this feature is extremely embarrassing, and something the dev team will be working to ensure doesn't happen again. This was GPR#668: https://github.com/ocaml/ocaml/pull/668

Loading code to my app based on some unknown environment variable
_by_default_ already seems like a vulnerability to me.

I work principally on Windows, where the ability to load code into anything else is very much a feature, though I agree that on Unix, if you have execute but not read permission to a binary, then this mechanism could be exploited to dump the code, but the scope of this is much more limited.

We are still considering whether this feature should remain a default in 4.05.0 or 4.06.0 - note that you can disable it entirely by passing -no-cplugins to configure.


David

2017-06-23 20:18 GMT+05:00 Damien Doligez <Damien.Doligez@inria.fr<mailto:Damien.Doligez@inria.fr>>:

Dear OCaml users,

We have the pleasure of celebrating the birthday of Alan Turing by
announcing the release of OCaml version 4.04.2.

This minor release fixes the security issue described in
CVE-2017-9772 (included below).

All users should eventually upgrade to 4.04.2 from 4.04.0 and 4.04.1.
Any user who produces setuid programs with OCaml should read the CVE
and upgrade immediately.

It is available as an OPAM switch, or as a source download here:
 https://caml.inria.fr/pub/distrib/ocaml-4.04/
 https://github.com/ocaml/ocaml/archive/4.04.2.tar.gz

Happy hacking,

-- Damien Doligez for the OCaml team.


OCaml 4.04.2 (23 Jun 2017):
---------------------------

### Security fix:

- PR#7557: Local privilege escalation issue with ocaml binaries.
 (Damien Doligez, report by Eric Milliken, review by Xavier Leroy)

--------------------------------------------------------------------

CVE-2017-9772: Privilege escalation in OCaml runtime for SUID executables

The environment variables CAML_CPLUGINS, CAML_NATIVE_CPLUGINS, and
CAML_BYTE_CPLUGINS can be used to auto-load code into any ocamlopt-compiled
executable or any ocamlc-compiled executable in ‘custom runtime mode’.
This can lead to privilege escalation if the executable is marked setuid.

Vulnerable versions: OCaml 4.04.0 and 4.04.1

Workarounds:
  - Upgrade to OCaml 4.04.2 or higher.
or - Compile the OCaml distribution with the "-no-cplugins" configure option.
or - OPAM users can "opam update && opam switch recompile 4.04.1", as
    the repository has had backported patches applied.

Impact: This only affects binaries that have been installed on Unix-like
operating systems (including Linux and macOS) with the setuid bit set.
However, in that situation, any user who execute the program gains all
the privileges of the owner of the executable (meaning that root-owned
setuid executables provide root access).

Fix: OCaml 4.04.2 mitigates this by modifying Sys.getenv and Unix.getenv
to raise an exception if the process has ever had elevated privileges.
The OCaml runtime has also been modified to use this function for
retrieving all of the runtime environment variables which could potentially
cause files to be accessed or modified.  The older behaviour is available
in Sys.unsafe_getenv for applications that require strict compatibility.

Credits: This was originally reported by Eric Milliken on the OCaml Mantis
bug tracker. https://caml.inria.fr/mantis/view.php?id=7557

References: see CVE-2017-9779 for a lesser vulnerability in older versions.

CVSS v2 Vector:
AV:L/AC:L/Au:S/C:C/I:C/A:N/E:F/RL:OF/RC:C/CDP:H/TD:L/CR:H/IR:H/AR:L
CWE ID: 114


--
Caml-list mailing list.  Subscription management and archives:
https://sympa.inria.fr/sympa/arc/caml-list
Beginner's list: http://groups.yahoo.com/group/ocaml_beginners
Bug reports: http://caml.inria.fr/bin/caml-bugs

--
Caml-list mailing list.  Subscription management and archives:
https://sympa.inria.fr/sympa/arc/caml-list
Beginner's list: http://groups.yahoo.com/group/ocaml_beginners
Bug reports: http://caml.inria.fr/bin/caml-bugs

[-- Attachment #2: Type: text/html, Size: 9803 bytes --]

Re: [Caml-list] OCaml release 4.04.2

[Gabriel Scherer]

I agree, of course, that we should do a better job of documentation
new features as they get merged and not after-the-fact. There was in
fact documentation contributed after-the-fact by Florian Angeletti
(with helpful reviews by Hezekiah M. Carty and Gabriel Radanne, that
in generally has been doing excellent work in the past few years on
improving the state of the manual and documentation.

  https://github.com/ocaml/ocaml/pull/1187

(I think that this change to the documentation only exists in the the
trunk version for now, so without explicit backporting it would only
become available in the 4.06.0 manual).

On Fri, Jun 23, 2017 at 3:05 PM, David Allsopp <dra-news@metastack.com> wrote:
> Alexey Egorov wrote:
>
> Why the CPLUGINS feature is enabled by default AND completely undocumented?
>
>
> The lack of documentation, or even a Changes entry for this feature is
> extremely embarrassing, and something the dev team will be working to ensure
> doesn't happen again. This was GPR#668:
> https://github.com/ocaml/ocaml/pull/668
>
> Loading code to my app based on some unknown environment variable
> _by_default_ already seems like a vulnerability to me.
>
>
> I work principally on Windows, where the ability to load code into anything
> else is very much a feature, though I agree that on Unix, if you have
> execute but not read permission to a binary, then this mechanism could be
> exploited to dump the code, but the scope of this is much more limited.
>
> We are still considering whether this feature should remain a default in
> 4.05.0 or 4.06.0 - note that you can disable it entirely by passing
> -no-cplugins to configure.
>
>
> David
>
>
> 2017-06-23 20:18 GMT+05:00 Damien Doligez <Damien.Doligez@inria.fr>:
>
>
> Dear OCaml users,
>
>
> We have the pleasure of celebrating the birthday of Alan Turing by
>
> announcing the release of OCaml version 4.04.2.
>
>
> This minor release fixes the security issue described in
>
> CVE-2017-9772 (included below).
>
>
> All users should eventually upgrade to 4.04.2 from 4.04.0 and 4.04.1.
>
> Any user who produces setuid programs with OCaml should read the CVE
>
> and upgrade immediately.
>
>
> It is available as an OPAM switch, or as a source download here:
>
>  https://caml.inria.fr/pub/distrib/ocaml-4.04/
>
>  https://github.com/ocaml/ocaml/archive/4.04.2.tar.gz
>
>
> Happy hacking,
>
>
> -- Damien Doligez for the OCaml team.
>
>
>
> OCaml 4.04.2 (23 Jun 2017):
>
> ---------------------------
>
>
> ### Security fix:
>
>
> - PR#7557: Local privilege escalation issue with ocaml binaries.
>
>  (Damien Doligez, report by Eric Milliken, review by Xavier Leroy)
>
>
> --------------------------------------------------------------------
>
>
> CVE-2017-9772: Privilege escalation in OCaml runtime for SUID executables
>
>
> The environment variables CAML_CPLUGINS, CAML_NATIVE_CPLUGINS, and
>
> CAML_BYTE_CPLUGINS can be used to auto-load code into any ocamlopt-compiled
>
> executable or any ocamlc-compiled executable in ‘custom runtime mode’.
>
> This can lead to privilege escalation if the executable is marked setuid.
>
>
> Vulnerable versions: OCaml 4.04.0 and 4.04.1
>
>
> Workarounds:
>
>   - Upgrade to OCaml 4.04.2 or higher.
>
> or - Compile the OCaml distribution with the "-no-cplugins" configure
> option.
>
> or - OPAM users can "opam update && opam switch recompile 4.04.1", as
>
>     the repository has had backported patches applied.
>
>
> Impact: This only affects binaries that have been installed on Unix-like
>
> operating systems (including Linux and macOS) with the setuid bit set.
>
> However, in that situation, any user who execute the program gains all
>
> the privileges of the owner of the executable (meaning that root-owned
>
> setuid executables provide root access).
>
>
> Fix: OCaml 4.04.2 mitigates this by modifying Sys.getenv and Unix.getenv
>
> to raise an exception if the process has ever had elevated privileges.
>
> The OCaml runtime has also been modified to use this function for
>
> retrieving all of the runtime environment variables which could potentially
>
> cause files to be accessed or modified.  The older behaviour is available
>
> in Sys.unsafe_getenv for applications that require strict compatibility.
>
>
> Credits: This was originally reported by Eric Milliken on the OCaml Mantis
>
> bug tracker. https://caml.inria.fr/mantis/view.php?id=7557
>
>
> References: see CVE-2017-9779 for a lesser vulnerability in older versions.
>
>
> CVSS v2 Vector:
>
> AV:L/AC:L/Au:S/C:C/I:C/A:N/E:F/RL:OF/RC:C/CDP:H/TD:L/CR:H/IR:H/AR:L
>
> CWE ID: 114
>
>
>
> --
>
> Caml-list mailing list.  Subscription management and archives:
>
> https://sympa.inria.fr/sympa/arc/caml-list
>
> Beginner's list: http://groups.yahoo.com/group/ocaml_beginners
>
> Bug reports: http://caml.inria.fr/bin/caml-bugs
>
>
> --
> Caml-list mailing list.  Subscription management and archives:
> https://sympa.inria.fr/sympa/arc/caml-list
> Beginner's list: http://groups.yahoo.com/group/ocaml_beginners
> Bug reports: http://caml.inria.fr/bin/caml-bugs

Re: [Caml-list] OCaml release 4.04.2

[octachron]

Unfortunately, the C runtime plugin feature is still woefully 
undocumented currently. The recent documentation effort focused on 
(ocaml) compiler plugins, of which the existence was very briefly 
touched upon in previous version of the documentation but not really 
documented. And the extended documentation for these compiler plugins 
will indeed be only available in the 4.06 version of the manual (except 
if we decide to backport these changes or make available an experimental 
trunk version of the manual).

Le 23/06/2017 à 21:13, Gabriel Scherer a écrit :
> I agree, of course, that we should do a better job of documentation
> new features as they get merged and not after-the-fact. There was in
> fact documentation contributed after-the-fact by Florian Angeletti
> (with helpful reviews by Hezekiah M. Carty and Gabriel Radanne, that
> in generally has been doing excellent work in the past few years on
> improving the state of the manual and documentation.
>
>    https://github.com/ocaml/ocaml/pull/1187
>
> (I think that this change to the documentation only exists in the the
> trunk version for now, so without explicit backporting it would only
> become available in the 4.06.0 manual).
>

Re: [Caml-list] OCaml release 4.04.2

[Hannes Mehnert]

Damien,

thank you for your work on the release.

On 23/06/2017 16:18, Damien Doligez wrote:
> Workarounds:
>    - Upgrade to OCaml 4.04.2 or higher.
> or - Compile the OCaml distribution with the "-no-cplugins" configure option.
> or - OPAM users can "opam update && opam switch recompile 4.04.1", as
>      the repository has had backported patches applied.

I fail to find any 4.04.1 backports in the opam repository at
https://github.com/ocaml/opam-repository/tree/master/compilers/4.04.1

Thus, the only way is to upgrade to 4.04.2 (or downgrade to 4.03).


hannes

Re: [Caml-list] OCaml release 4.04.2

[Anil Madhavapeddy]

On 23 Jun 2017, at 21:38, Hannes Mehnert <hannes@mehnert.org> wrote:
> 
> Damien,
> 
> thank you for your work on the release.
> 
> On 23/06/2017 16:18, Damien Doligez wrote:
>> Workarounds:
>>  - Upgrade to OCaml 4.04.2 or higher.
>> or - Compile the OCaml distribution with the "-no-cplugins" configure option.
>> or - OPAM users can "opam update && opam switch recompile 4.04.1", as
>>    the repository has had backported patches applied.
> 
> I fail to find any 4.04.1 backports in the opam repository at
> https://github.com/ocaml/opam-repository/tree/master/compilers/4.04.1
> 
> Thus, the only way is to upgrade to 4.04.2 (or downgrade to 4.03).

Sorry, the opam backports are lagging as the final patch in 4.04.2 changed
a little bit.  However, the upgrade to 4.04.2 should have zero side effects
in practise for a source installation via OPAM, so please do let me know
if you run into any difficulty upgrading from 4.04.0/1 to 4.04.2.

TL;DR do `opam update && opam switch 4.04.2` for now.

regards,
Anil