caml-list - the Caml user's mailing list
 help / color / mirror / Atom feed
* [Caml-list] OCaml vs CVE-2017-9779
@ 2018-01-31  1:43 Evgeny Roubinchtein
  2018-01-31  9:55 ` Daniel Bünzli
  2018-01-31 14:18 ` David Allsopp
  0 siblings, 2 replies; 4+ messages in thread
From: Evgeny Roubinchtein @ 2018-01-31  1:43 UTC (permalink / raw)
  To: OCaml Mailing List

[-- Attachment #1: Type: text/plain, Size: 1189 bytes --]

Dear OCaml users and developers,

My current employer ships an executable whose source code is written in
OCaml, and is trying to understand the security implications and mitigating
actions (if any) of CVE-2017-9779.   For the purposes of this discussion,
only the native code compiler (ocamlopt) is relevant.

The questions I would hope to get answers to are:

1. Which versions of the OCaml compiler produce executables which are
affected by the vulnerability/ies described in CVE-2017-9779?

2. What mitigation/s (if any) are suggested?

I will point out that my current employer and I are pretty confident that
we understand the issues described by CVE-2017-9772; the assumption we are
operating under is that there is a separate issue/issues that are different
from the issues covered in CVE-2017-9772.

If you would like to continue the discussion off-list, or would like to
encrypt further communication on this subject, or would like to see
non-disclosure agreements  signed in triplicate and delivered by bactrian
camels, please let me know what your requirements are: I will so inform my
employer and we'll try to accommodate.

Thank you in advance!

-- 
Best,
Evgeny ("Zhenya")

[-- Attachment #2: Type: text/html, Size: 1595 bytes --]

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [Caml-list] OCaml vs CVE-2017-9779
  2018-01-31  1:43 [Caml-list] OCaml vs CVE-2017-9779 Evgeny Roubinchtein
@ 2018-01-31  9:55 ` Daniel Bünzli
  2018-01-31 10:23   ` David Allsopp
  2018-01-31 14:18 ` David Allsopp
  1 sibling, 1 reply; 4+ messages in thread
From: Daniel Bünzli @ 2018-01-31  9:55 UTC (permalink / raw)
  To: Evgeny Roubinchtein, OCaml Mailing List

On 31 January 2018 at 02:43:28, Evgeny Roubinchtein (zhenya1007@gmail.com) wrote:

> 1. Which versions of the OCaml compiler produce executables which are
> affected by the vulnerability/ies described in CVE-2017-9779?

4.04.0 and 4.04.1

> 2. What mitigation/s (if any) are suggested?

Unless you can control the environment an prevent use of CAML_CPLUGINS and CAML_NATIVE_CPLUGINS I'm not sure there's any except avoiding using the compilers above. Note that the escalation affects only setuid binaries.

For reference here's the discussion about the bug:

  https://caml.inria.fr/mantis/view.php?id=7557

the commit that introduced the vulnerability:

  https://github.com/ocaml/ocaml/pull/668/commits/6a83bdd5937522efeeff496349c22bcb2f832866

and the resolution:

  https://github.com/ocaml/ocaml/commit/850021c200c7507f2a928a66fa1291ff4ae3a622
  https://github.com/ocaml/ocaml/pull/1213

Best, 

Daniel



^ permalink raw reply	[flat|nested] 4+ messages in thread

* RE: [Caml-list] OCaml vs CVE-2017-9779
  2018-01-31  9:55 ` Daniel Bünzli
@ 2018-01-31 10:23   ` David Allsopp
  0 siblings, 0 replies; 4+ messages in thread
From: David Allsopp @ 2018-01-31 10:23 UTC (permalink / raw)
  To: Daniel Bünzli, Evgeny Roubinchtein, OCaml Mailing List

Daniel Bünzli wrote:
> On 31 January 2018 at 02:43:28, Evgeny Roubinchtein
> (zhenya1007@gmail.com) wrote:
> 
> > 1. Which versions of the OCaml compiler produce executables which are
> > affected by the vulnerability/ies described in CVE-2017-9779?
> 
> 4.04.0 and 4.04.1
>
> > 2. What mitigation/s (if any) are suggested?
> 
> Unless you can control the environment an prevent use of CAML_CPLUGINS
> and CAML_NATIVE_CPLUGINS I'm not sure there's any except avoiding using
> the compilers above. Note that the escalation affects only setuid
> binaries.
> 
> For reference here's the discussion about the bug:
> 
>   https://caml.inria.fr/mantis/view.php?id=7557
> 
> the commit that introduced the vulnerability:
> 
>   https://github.com/ocaml/ocaml/pull/668/commits/6a83bdd5937522efeeff496349c22bcb2f832866
> 
> and the resolution:
> 
>   https://github.com/ocaml/ocaml/commit/850021c200c7507f2a928a66fa1291ff4ae3a622
>   https://github.com/ocaml/ocaml/pull/1213

The information you've posted here refers to CVE-2017-9772, not CVE-2017-9779. There's a discussion on caml-devel in progress at the moment which should yield a reply to this shortly!


David

^ permalink raw reply	[flat|nested] 4+ messages in thread

* RE: [Caml-list] OCaml vs CVE-2017-9779
  2018-01-31  1:43 [Caml-list] OCaml vs CVE-2017-9779 Evgeny Roubinchtein
  2018-01-31  9:55 ` Daniel Bünzli
@ 2018-01-31 14:18 ` David Allsopp
  1 sibling, 0 replies; 4+ messages in thread
From: David Allsopp @ 2018-01-31 14:18 UTC (permalink / raw)
  To: Evgeny Roubinchtein, OCaml Mailing List

Evgeny Roubinchtein wrote:
> Dear OCaml users and developers,
> My current employer ships an executable whose source code is written in OCaml,
> and is trying to understand the security implications and mitigating actions
> (if any) of CVE-2017-9779.   For the purposes of this discussion, only the
> native code compiler (ocamlopt) is relevant.
> 
> The questions I would hope to get answers to are:
>
> 1. Which versions of the OCaml compiler produce executables which are affected
> by the vulnerability/ies described in CVE-2017-9779?

All versions prior to 4.04.2 (that's "All" as in "since 1.00", not just "4.04.0 and 4.04.1").

> 2. What mitigation/s (if any) are suggested?

The issue only affects bytecode executables linked in custom runtime mode where there is a limited attack possible on CAML_DEBUG_SOCKET. Since you're using ocamlopt, you're fine.

Note that we updated the manual for 4.05.0 in GPR#1213 (https://github.com/ocaml/ocaml/pull/1213/files#diff-d79da36dce83d24f7fd0cadefe8c97a1R319) to note that custom runtime bytecode executables should never be setuid or setgid.

Sorry for the delay with the reply - it turns out several of us developers involved in the discussion had taken out non-disclosure agreements with our own memories. The CVE was reserved when it was thought that attack allowed arbitrary privilege escalation, but when we determined it wasn't that serious, we released with just CVE-2017-9772 (which affects ocamlc and ocamlopt but in 4.04.0 and 4.04.1 *only*). We've forgotten to update the CVE text itself, which we're now in the process of dealing with.

All best,


David (on behalf of the OCaml devs)

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2018-01-31 14:18 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-01-31  1:43 [Caml-list] OCaml vs CVE-2017-9779 Evgeny Roubinchtein
2018-01-31  9:55 ` Daniel Bünzli
2018-01-31 10:23   ` David Allsopp
2018-01-31 14:18 ` David Allsopp

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).