Bug 755257

Summary:	dev-lang/ocaml-4.05.0-r1: Fixing GLSA 202007-48 for unison-compatibility with Debian
Product:	Gentoo Linux	Reporter:	Stefan Huber <shuber>
Component:	Current packages	Assignee:	Gentoo Team for the ML programming language family <ml>
Status:	RESOLVED FIXED
Severity:	normal	CC:	gienah, sam, security
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---
Bug Depends on:
Bug Blocks:	719134

Description Stefan Huber 2020-11-18 11:58:55 UTC

Ocaml version <4.09.0 suffers from GLSA 202007-48. On the other hand, the current stable version ocaml-4.09.0 uses a different marshaling format, which makes unison built against it incompatible with the unison shipped by Debian Buster, for instance. The latest ocaml version that works for this use case is ocaml-4.05.0-r1. (I cannot remember whether ocaml-4.04.2-r1 also does.)

Now, while unison relying on the ocaml marshaling mechanism is an issue for itself [1], I would still propose to investigate into fixing GLSA 202007-48 for ocaml-4.05.0-r1 for unison users that synchronize with other Debian Buster (and probably some others).


[1] https://lists.seas.upenn.edu/pipermail/unison-hackers/2020-February/001962.html

Reproducible: Always

Comment 1 Stefan Huber 2020-11-18 12:20:34 UTC

Debian has fixed this issue with 4.05.0-11, see [1]. According to [1], the patch that was used is this [2] one. I have applied the patch [2] to ocaml-4.05.0-r1, which builds fine and unison works, too.


[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895472#25
[2] https://salsa.debian.org/ocaml-team/ocaml/commit/25dd36af0e6921c7df85b80d4cac68a177a8def5


P.S. Note that GLSA 202007-48 actually concerns the very same marshaling mechanisms, that stops unison users from upgrading to ocaml-4.09.0.

Comment 2 Stefan Huber 2020-11-30 08:09:57 UTC

I just realized that unison (all versions) fails to build due to undefined reference to `caml_umul_overflow`. The following patch, however, changes the call to caml_umul_overflow in the patch to a call to caml_ba_multov:

https://gitea.lakaban.net/def/ocaml/commit/c6ca3afc78b75d7748e4e09e56c6b020418be06e

Unison 2.48.15_p4-r2 and 2.51.3_p20201024 compiles against dev-lang/ocaml-4.05.0-r1 with the proposed patch applied.

Comment 3 Larry the Git Cow gentoo-dev

2020-12-20 18:43:12 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=73b6349cc23be7639100ff7f759516d6e28157a8

commit 73b6349cc23be7639100ff7f759516d6e28157a8
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2020-12-20 18:41:02 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-12-20 18:43:08 +0000

    dev-ml/findlib: lower the minimum OCaml version
    
    Some users still need an older version of OCaml for
    e.g. Unison where there are compatibility issues
    we need to handle.
    
    Thanks-to: Stefan Huber <shuber@sthu.org>
    Bug: https://bugs.gentoo.org/755257
    Closes: https://bugs.gentoo.org/760911
    Package-Manager: Portage-3.0.9, Repoman-3.0.2
    Signed-off-by: Sam James <sam@gentoo.org>

 .../findlib/{findlib-1.8.1-r1.ebuild => findlib-1.8.1-r2.ebuild}   | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

Comment 4 Larry the Git Cow gentoo-dev

2021-06-08 04:59:17 UTC

The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=34b06d35218d9e444050526511da10962ea72c2f

commit 34b06d35218d9e444050526511da10962ea72c2f
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-06-08 04:58:53 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-06-08 04:59:09 +0000

    dev-lang/ocaml: add CVE-2018-9838 patch to 4.05.0
    
    Closes: https://bugs.gentoo.org/755257
    Bug: https://bugs.gentoo.org/719134
    Signed-off-by: Sam James <sam@gentoo.org>

 .../ocaml/files/ocaml-4.05.0-CVE-2018-9838.patch   |  70 ++++++++++
 dev-lang/ocaml/ocaml-4.05.0-r4.ebuild              | 143 +++++++++++++++++++++
 2 files changed, 213 insertions(+)