From: David Allsopp <dra-news@metastack.com>
To: "Daniel Bünzli" <daniel.buenzli@erratique.ch>,
"Evgeny Roubinchtein" <zhenya1007@gmail.com>,
"OCaml Mailing List" <caml-list@inria.fr>
Subject: RE: [Caml-list] OCaml vs CVE-2017-9779
Date: Wed, 31 Jan 2018 10:23:43 +0000 [thread overview]
Message-ID: <E51C5B015DBD1348A1D85763337FB6D90189A59280@Remus.metastack.local> (raw)
In-Reply-To: <etPan.5a719297.3a5ac6e6.14b69@erratique.ch>
Daniel Bünzli wrote:
> On 31 January 2018 at 02:43:28, Evgeny Roubinchtein
> (zhenya1007@gmail.com) wrote:
>
> > 1. Which versions of the OCaml compiler produce executables which are
> > affected by the vulnerability/ies described in CVE-2017-9779?
>
> 4.04.0 and 4.04.1
>
> > 2. What mitigation/s (if any) are suggested?
>
> Unless you can control the environment an prevent use of CAML_CPLUGINS
> and CAML_NATIVE_CPLUGINS I'm not sure there's any except avoiding using
> the compilers above. Note that the escalation affects only setuid
> binaries.
>
> For reference here's the discussion about the bug:
>
> https://caml.inria.fr/mantis/view.php?id=7557
>
> the commit that introduced the vulnerability:
>
> https://github.com/ocaml/ocaml/pull/668/commits/6a83bdd5937522efeeff496349c22bcb2f832866
>
> and the resolution:
>
> https://github.com/ocaml/ocaml/commit/850021c200c7507f2a928a66fa1291ff4ae3a622
> https://github.com/ocaml/ocaml/pull/1213
The information you've posted here refers to CVE-2017-9772, not CVE-2017-9779. There's a discussion on caml-devel in progress at the moment which should yield a reply to this shortly!
David
next prev parent reply other threads:[~2018-01-31 10:23 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-31 1:43 Evgeny Roubinchtein
2018-01-31 9:55 ` Daniel Bünzli
2018-01-31 10:23 ` David Allsopp [this message]
2018-01-31 14:18 ` David Allsopp
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=E51C5B015DBD1348A1D85763337FB6D90189A59280@Remus.metastack.local \
--to=dra-news@metastack.com \
--cc=caml-list@inria.fr \
--cc=daniel.buenzli@erratique.ch \
--cc=zhenya1007@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).