From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <daniel.buenzli@erratique.ch>
X-Original-To: caml-list@sympa.inria.fr
Delivered-To: caml-list@sympa.inria.fr
Received: from mail3-relais-sop.national.inria.fr (mail3-relais-sop.national.inria.fr [192.134.164.104])
	by sympa.inria.fr (Postfix) with ESMTPS id 00DCE823CD
	for <caml-list@sympa.inria.fr>; Wed, 31 Jan 2018 10:55:36 +0100 (CET)
Authentication-Results: mail3-smtp-sop.national.inria.fr; spf=None smtp.pra=daniel.buenzli@erratique.ch; spf=None smtp.mailfrom=daniel.buenzli@erratique.ch; spf=None smtp.helo=postmaster@smtp.webfaction.com
Received-SPF: None (mail3-smtp-sop.national.inria.fr: no sender
  authenticity information available from domain of
  daniel.buenzli@erratique.ch) identity=pra;
  client-ip=31.170.123.134;
  receiver=mail3-smtp-sop.national.inria.fr;
  envelope-from="daniel.buenzli@erratique.ch";
  x-sender="daniel.buenzli@erratique.ch";
  x-conformance=sidf_compatible
Received-SPF: None (mail3-smtp-sop.national.inria.fr: no sender
  authenticity information available from domain of
  daniel.buenzli@erratique.ch) identity=mailfrom;
  client-ip=31.170.123.134;
  receiver=mail3-smtp-sop.national.inria.fr;
  envelope-from="daniel.buenzli@erratique.ch";
  x-sender="daniel.buenzli@erratique.ch";
  x-conformance=sidf_compatible
Received-SPF: None (mail3-smtp-sop.national.inria.fr: no sender
  authenticity information available from domain of
  postmaster@smtp.webfaction.com) identity=helo;
  client-ip=31.170.123.134;
  receiver=mail3-smtp-sop.national.inria.fr;
  envelope-from="daniel.buenzli@erratique.ch";
  x-sender="postmaster@smtp.webfaction.com";
  x-conformance=sidf_compatible
IronPort-PHdr: =?us-ascii?q?9a23=3A7PvwERS59joShfvXNoZZpXEKftpsv+yvbD5Q0YIu?=
 =?us-ascii?q?jvd0So/mwa6zZhKN2/xhgRfzUJnB7Loc0qyK6/mmATRIyK3CmUhKSIZLWR4BhJ?=
 =?us-ascii?q?detC0bK+nBN3fGKuX3ZTcxBsVIWQwt1Xi6NU9IBJS2PAWK8TW94jEIBxrwKxd+?=
 =?us-ascii?q?KPjrFY7OlcS30P2594HObwlSizexfa5+IA+qoQnNq8IbnZZsJqEtxxXTv3BGYf?=
 =?us-ascii?q?5WxWRmJVKSmxbz+MK994N9/ipTpvws6ddOXb31cKokQ7NYCi8mM30u683wqRbD?=
 =?us-ascii?q?VwqP6WACXWgQjxFFHhLK7BD+Xpf2ryv6qu9w0zSUMMHqUbw5Xymp4rx1QxH0li?=
 =?us-ascii?q?gIKz858HnWisNuiqJbvAmhrAF7z4LNfY2ZKOZycqbbcNgHR2ROQ9xRWjRPDI28?=
 =?us-ascii?q?cYUBDOgOPehFoYf6qFQBsRSwChS3CePz0z9FnGP60Lcm3+kjFwzNwQwuH8gJsH?=
 =?us-ascii?q?TRtNj7Or0dUea0zKbWyTXMd+5bwSv76InJdhAhoOyHULVtfsXLz0kvFh3KjlGK?=
 =?us-ascii?q?pYP+IjOayOINsmmf7+phTu+glXQnqxtrrTizx8csk5TJiZwPxl/Y9SV02YA4Ls?=
 =?us-ascii?q?C2Rk58ZN6rCppQtyeCOot3RMMiWWBotzwgxr0Io563ZCcKyJU7xx7fdvyIaJKE?=
 =?us-ascii?q?7Q7kVOaUJzpzmXFreKqnihu87ESs0PDwW8uo3FpQsyZJjNfBumoQ2xHd5cWLUu?=
 =?us-ascii?q?Zx80Wi1DqVygze7uNJLVoqmafVNZIt2Lw9m5wOukrZBCD2gl/5jKqOe0Uk5Oeo?=
 =?us-ascii?q?7+Pnb639pp+ZK490khvyM6owlcOkD+Q3KBQBX3Sa+eS70r3v51H2QLJPjvEuk6?=
 =?us-ascii?q?nZto7VJdgDq6O3HgNZyJsv5hSjAzu8zdgUg3cKIEhYdB+JgIXlI1TOL+r5Dfe7?=
 =?us-ascii?q?jVSsijBrx/XeM7L8GJrNKHnDn6nlfbpn8EFc1RQ8zdZe5pJQC7EMO+z8WlXrtN?=
 =?us-ascii?q?PCEh85MhW0w/v5B9lnyoweWXqDArWFP6PKrV+I+uUvLvGQa4APvTb9L+Ep5/rv?=
 =?us-ascii?q?jX8ihV8QZrKp3JsSaHCgBPtqOUSZYXz2gtcAC2gGpAQ+TPa5wGGFBBNNaHu0Tu?=
 =?us-ascii?q?oG4SwxCYStDZvOR4bl1K6B0SGqF8QOPj9uBVWFEHOufIKBDbNETwmbJ8sptzUF?=
 =?us-ascii?q?UbmnRMcF1Aqy/Fvxwr9ja+7V4TEwtJT51dEz6feFxj8o8jkhI82b0myJeEvgmH?=
 =?us-ascii?q?EMRndi0Kl5oEF5jF2e3K5qh/1wGMZJ7u9ISxo3c5Xcmb8pQ+vuUx7MK4/aAG2t?=
 =?us-ascii?q?Rc+rVHRoFopoko0+Jn1lEtDntSjtmi+jArsbjbuOXcBm/7jG1mTwPttwjX3Ghv?=
 =?us-ascii?q?F40wsWB/BXPGjjvZZRshDJDteVwUiDja+2dL0B0WjG9DXblDfcjARjSAd1FJ79?=
 =?us-ascii?q?czUfa0/R942r/UbeV/mxBL4pOwBdyMmEbKBNb4+xgA=3D=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0CgBwDmkXFah4Z7qh9BGhwBAQEEAQEKA?=
 =?us-ascii?q?QGEKHUog2CLGI4hAYFYiRKQSwolhRYCgmMGBTQUAQEBAQEBAQEBAQESAQEBCA0?=
 =?us-ascii?q?JCCgvgjgkAYJHAQQBI1sLCw4MAhgOAgIhJhAGARKKHQMNDAwzpmKCJ4c5DYELg?=
 =?us-ascii?q?hIBCgEBAR8FgQ+DTIMehWSBSYEiRAICGYFWgxctgjgFo1s+gR+GeYhLkSWIDY1?=
 =?us-ascii?q?nR4k6gTw2gXKBQoIqgmEEghN3AQmMWgEBAQ?=
X-IPAS-Result: =?us-ascii?q?A0CgBwDmkXFah4Z7qh9BGhwBAQEEAQEKAQGEKHUog2CLGI4?=
 =?us-ascii?q?hAYFYiRKQSwolhRYCgmMGBTQUAQEBAQEBAQEBAQESAQEBCA0JCCgvgjgkAYJHA?=
 =?us-ascii?q?QQBI1sLCw4MAhgOAgIhJhAGARKKHQMNDAwzpmKCJ4c5DYELghIBCgEBAR8FgQ+?=
 =?us-ascii?q?DTIMehWSBSYEiRAICGYFWgxctgjgFo1s+gR+GeYhLkSWIDY1nR4k6gTw2gXKBQ?=
 =?us-ascii?q?oIqgmEEghN3AQmMWgEBAQ?=
X-IronPort-AV: E=Sophos;i="5.46,439,1511823600"; 
   d="scan'208";a="253095567"
Received: from mail6.webfaction.com (HELO smtp.webfaction.com) ([31.170.123.134])
  by mail3-smtp-sop.national.inria.fr with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 31 Jan 2018 10:55:36 +0100
Received: from hehey.local.mail (7.232.197.178.dynamic.wless.lssmb00p-cgnat.res.cust.swisscom.ch [178.197.232.7])
	by smtp.webfaction.com (Postfix) with ESMTPSA id 1243260760805;
	Wed, 31 Jan 2018 09:55:34 +0000 (UTC)
Date: Wed, 31 Jan 2018 10:55:35 +0100
From: =?utf-8?Q?Daniel_B=C3=BCnzli?= <daniel.buenzli@erratique.ch>
To: Evgeny Roubinchtein <zhenya1007@gmail.com>, OCaml Mailing List
 <caml-list@inria.fr>
Message-ID: <etPan.5a719297.3a5ac6e6.14b69@erratique.ch>
In-Reply-To: <CAGYXaSbWu_6j5qkuEs=M-1ycs5-3SB6OhihC8Di6dwZLDbeOQA@mail.gmail.com>
References: <CAGYXaSbWu_6j5qkuEs=M-1ycs5-3SB6OhihC8Di6dwZLDbeOQA@mail.gmail.com>
X-Mailer: Airmail (467)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
Subject: Re: [Caml-list] OCaml vs CVE-2017-9779

On 31 January 2018 at 02:43:28, Evgeny Roubinchtein (zhenya1007@gmail.com) =
wrote:

> 1. Which versions of the OCaml compiler produce executables which are
> affected by the vulnerability/ies described in CVE-2017-9779?

4.04.0 and 4.04.1

> 2. What mitigation/s (if any) are suggested?

Unless you can control the environment an prevent use of CAML_CPLUGINS and =
CAML_NATIVE_CPLUGINS I'm not sure there's any except avoiding using the com=
pilers above. Note that the escalation affects only setuid binaries.

For reference here's the discussion about the bug:

=C2=A0 https://caml.inria.fr/mantis/view.php?id=3D7557

the commit that introduced the vulnerability:

=C2=A0 https://github.com/ocaml/ocaml/pull/668/commits/6a83bdd5937522efeeff=
496349c22bcb2f832866

and the resolution:

=C2=A0 https://github.com/ocaml/ocaml/commit/850021c200c7507f2a928a66fa1291=
ff4ae3a622
=C2=A0 https://github.com/ocaml/ocaml/pull/1213

Best,=C2=A0

Daniel