Description: "The caml_ba_deserialize function in byterun/bigarray.c in the standard library in OCaml 4.06.0 has an integer overflow which, in situations where marshalled data is accepted from an untrusted source, allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a crafted object."
ping
sparc was missed...
This issue was resolved and addressed in GLSA 202007-48 at https://security.gentoo.org/glsa/202007-48 by GLSA coordinator Sam James (sam_c).
(In reply to GLSAMaker/CVETool Bot from comment #3) > This issue was resolved and addressed in > GLSA 202007-48 at https://security.gentoo.org/glsa/202007-48 > by GLSA coordinator Sam James (sam_c). Reopening for sparc stabilisation.
Resetting sanity check; keywords are not fully specified and arches are not CC-ed.
On a stable system, one can't update dev-lang/ocaml-4.09.0 without unmasking dev-ml/ocamlbuild-0.14.0 and possibly some other packages. See this forum thread: <https://forums.gentoo.org/viewtopic-t-1114522-highlight-ocaml.html>
(In reply to Mark Purtill from comment #6) > On a stable system, one can't update dev-lang/ocaml-4.09.0 without unmasking > dev-ml/ocamlbuild-0.14.0 and possibly some other packages. See this forum > thread: > > <https://forums.gentoo.org/viewtopic-t-1114522-highlight-ocaml.html> I think this should be fixed now, or at least getting there.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=34b06d35218d9e444050526511da10962ea72c2f commit 34b06d35218d9e444050526511da10962ea72c2f Author: Sam James <sam@gentoo.org> AuthorDate: 2021-06-08 04:58:53 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-06-08 04:59:09 +0000 dev-lang/ocaml: add CVE-2018-9838 patch to 4.05.0 Closes: https://bugs.gentoo.org/755257 Bug: https://bugs.gentoo.org/719134 Signed-off-by: Sam James <sam@gentoo.org> .../ocaml/files/ocaml-4.05.0-CVE-2018-9838.patch | 70 ++++++++++ dev-lang/ocaml/ocaml-4.05.0-r4.ebuild | 143 +++++++++++++++++++++ 2 files changed, 213 insertions(+)
Unable to check for sanity: > no match for package: dev-lang/ocaml-4.09.0
Unable to check for sanity: > no match for package: dev-lang/ocaml-4.09.0-r1
ping. Some cleanup is still needed (see PR) to fully resolve this bug.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=da16ce0bc073186b149ff9cd6c6e8b724c88fd59 commit da16ce0bc073186b149ff9cd6c6e8b724c88fd59 Author: John Helmert III <ajak@gentoo.org> AuthorDate: 2023-10-22 23:00:32 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-10-28 00:24:09 +0000 dev-lang/ocaml: drop 4.05.0-r9 Bug: https://bugs.gentoo.org/719134 Signed-off-by: John Helmert III <ajak@gentoo.org> Closes: https://github.com/gentoo/gentoo/pull/28090 Signed-off-by: Sam James <sam@gentoo.org> dev-lang/ocaml/Manifest | 3 - dev-lang/ocaml/ocaml-4.05.0-r9.ebuild | 156 ---------------------------------- 2 files changed, 159 deletions(-)
