Ocaml version <4.09.0 suffers from GLSA 202007-48. On the other hand, the current stable version ocaml-4.09.0 uses a different marshaling format, which makes unison built against it incompatible with the unison shipped by Debian Buster, for instance. The latest ocaml version that works for this use case is ocaml-4.05.0-r1. (I cannot remember whether ocaml-4.04.2-r1 also does.) Now, while unison relying on the ocaml marshaling mechanism is an issue for itself [1], I would still propose to investigate into fixing GLSA 202007-48 for ocaml-4.05.0-r1 for unison users that synchronize with other Debian Buster (and probably some others). [1] https://lists.seas.upenn.edu/pipermail/unison-hackers/2020-February/001962.html Reproducible: Always
Debian has fixed this issue with 4.05.0-11, see [1]. According to [1], the patch that was used is this [2] one. I have applied the patch [2] to ocaml-4.05.0-r1, which builds fine and unison works, too. [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895472#25 [2] https://salsa.debian.org/ocaml-team/ocaml/commit/25dd36af0e6921c7df85b80d4cac68a177a8def5 P.S. Note that GLSA 202007-48 actually concerns the very same marshaling mechanisms, that stops unison users from upgrading to ocaml-4.09.0.
I just realized that unison (all versions) fails to build due to undefined reference to `caml_umul_overflow`. The following patch, however, changes the call to caml_umul_overflow in the patch to a call to caml_ba_multov: https://gitea.lakaban.net/def/ocaml/commit/c6ca3afc78b75d7748e4e09e56c6b020418be06e Unison 2.48.15_p4-r2 and 2.51.3_p20201024 compiles against dev-lang/ocaml-4.05.0-r1 with the proposed patch applied.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=73b6349cc23be7639100ff7f759516d6e28157a8 commit 73b6349cc23be7639100ff7f759516d6e28157a8 Author: Sam James <sam@gentoo.org> AuthorDate: 2020-12-20 18:41:02 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2020-12-20 18:43:08 +0000 dev-ml/findlib: lower the minimum OCaml version Some users still need an older version of OCaml for e.g. Unison where there are compatibility issues we need to handle. Thanks-to: Stefan Huber <shuber@sthu.org> Bug: https://bugs.gentoo.org/755257 Closes: https://bugs.gentoo.org/760911 Package-Manager: Portage-3.0.9, Repoman-3.0.2 Signed-off-by: Sam James <sam@gentoo.org> .../findlib/{findlib-1.8.1-r1.ebuild => findlib-1.8.1-r2.ebuild} | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-)
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=34b06d35218d9e444050526511da10962ea72c2f commit 34b06d35218d9e444050526511da10962ea72c2f Author: Sam James <sam@gentoo.org> AuthorDate: 2021-06-08 04:58:53 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-06-08 04:59:09 +0000 dev-lang/ocaml: add CVE-2018-9838 patch to 4.05.0 Closes: https://bugs.gentoo.org/755257 Bug: https://bugs.gentoo.org/719134 Signed-off-by: Sam James <sam@gentoo.org> .../ocaml/files/ocaml-4.05.0-CVE-2018-9838.patch | 70 ++++++++++ dev-lang/ocaml/ocaml-4.05.0-r4.ebuild | 143 +++++++++++++++++++++ 2 files changed, 213 insertions(+)