RE: [Caml-list] OCaml vs CVE-2017-9779

[David Allsopp <dra-news@metastack.com>]

Evgeny Roubinchtein wrote:
> Dear OCaml users and developers,
> My current employer ships an executable whose source code is written in OCaml,
> and is trying to understand the security implications and mitigating actions
> (if any) of CVE-2017-9779.   For the purposes of this discussion, only the
> native code compiler (ocamlopt) is relevant.
> 
> The questions I would hope to get answers to are:
>
> 1. Which versions of the OCaml compiler produce executables which are affected
> by the vulnerability/ies described in CVE-2017-9779?

All versions prior to 4.04.2 (that's "All" as in "since 1.00", not just "4.04.0 and 4.04.1").

> 2. What mitigation/s (if any) are suggested?

The issue only affects bytecode executables linked in custom runtime mode where there is a limited attack possible on CAML_DEBUG_SOCKET. Since you're using ocamlopt, you're fine.

Note that we updated the manual for 4.05.0 in GPR#1213 (https://github.com/ocaml/ocaml/pull/1213/files#diff-d79da36dce83d24f7fd0cadefe8c97a1R319) to note that custom runtime bytecode executables should never be setuid or setgid.

Sorry for the delay with the reply - it turns out several of us developers involved in the discussion had taken out non-disclosure agreements with our own memories. The CVE was reserved when it was thought that attack allowed arbitrary privilege escalation, but when we determined it wasn't that serious, we released with just CVE-2017-9772 (which affects ocamlc and ocamlopt but in 4.04.0 and 4.04.1 *only*). We've forgotten to update the CVE text itself, which we're now in the process of dealing with.

All best,


David (on behalf of the OCaml devs)