Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 719134 (CVE-2018-9838)

Summary: <dev-lang/ocaml-4.09.0: Integer overflow (CVE-2018-9838)
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: CONFIRMED ---    
Severity: normal CC: gienah, ml, sam
Priority: Normal Flags: nattka: sanity-check-
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B2 [glsa+ cleanup cve]
Package list:
dev-lang/ocaml-4.09.0-r1
Runtime testing required: Yes
Bug Depends on: 737154, 704246, 708696, 755257    
Bug Blocks:    

Description Sam James archtester gentoo-dev Security 2020-04-23 22:39:07 UTC
Description:
"The caml_ba_deserialize function in byterun/bigarray.c in the standard library in OCaml 4.06.0 has an integer overflow which, in situations where marshalled data is accepted from an untrusted source, allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a crafted object."
Comment 1 Sam James archtester gentoo-dev Security 2020-06-20 02:10:23 UTC
ping
Comment 2 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2020-07-26 22:33:13 UTC
sparc was missed...
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2020-07-27 01:27:24 UTC
This issue was resolved and addressed in
 GLSA 202007-48 at https://security.gentoo.org/glsa/202007-48
by GLSA coordinator Sam James (sam_c).
Comment 4 Sam James archtester gentoo-dev Security 2020-07-27 01:28:45 UTC
(In reply to GLSAMaker/CVETool Bot from comment #3)
> This issue was resolved and addressed in
>  GLSA 202007-48 at https://security.gentoo.org/glsa/202007-48
> by GLSA coordinator Sam James (sam_c).

Reopening for sparc stabilisation.
Comment 5 NATTkA bot gentoo-dev 2020-07-27 17:29:01 UTC Comment hidden (obsolete)
Comment 6 Mark Purtill 2020-07-27 22:03:57 UTC
On a stable system, one can't update dev-lang/ocaml-4.09.0 without unmasking dev-ml/ocamlbuild-0.14.0 and possibly some other packages.  See this forum thread:

<https://forums.gentoo.org/viewtopic-t-1114522-highlight-ocaml.html>
Comment 7 Sam James archtester gentoo-dev Security 2020-10-17 01:55:06 UTC
(In reply to Mark Purtill from comment #6)
> On a stable system, one can't update dev-lang/ocaml-4.09.0 without unmasking
> dev-ml/ocamlbuild-0.14.0 and possibly some other packages.  See this forum
> thread:
> 
> <https://forums.gentoo.org/viewtopic-t-1114522-highlight-ocaml.html>

I think this should be fixed now, or at least getting there.
Comment 8 Larry the Git Cow gentoo-dev 2021-06-08 04:59:19 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=34b06d35218d9e444050526511da10962ea72c2f

commit 34b06d35218d9e444050526511da10962ea72c2f
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-06-08 04:58:53 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-06-08 04:59:09 +0000

    dev-lang/ocaml: add CVE-2018-9838 patch to 4.05.0
    
    Closes: https://bugs.gentoo.org/755257
    Bug: https://bugs.gentoo.org/719134
    Signed-off-by: Sam James <sam@gentoo.org>

 .../ocaml/files/ocaml-4.05.0-CVE-2018-9838.patch   |  70 ++++++++++
 dev-lang/ocaml/ocaml-4.05.0-r4.ebuild              | 143 +++++++++++++++++++++
 2 files changed, 213 insertions(+)
Comment 9 NATTkA bot gentoo-dev 2021-06-09 21:48:33 UTC Comment hidden (obsolete)
Comment 10 NATTkA bot gentoo-dev 2021-06-18 21:12:39 UTC
Unable to check for sanity:

> no match for package: dev-lang/ocaml-4.09.0-r1