Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 755257 - dev-lang/ocaml-4.05.0-r1: Fixing GLSA 202007-48 for unison-compatibility with Debian
Summary: dev-lang/ocaml-4.05.0-r1: Fixing GLSA 202007-48 for unison-compatibility with...
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Team for the ML programming language family
Depends on:
Blocks: CVE-2018-9838
  Show dependency tree
Reported: 2020-11-18 11:58 UTC by Stefan Huber
Modified: 2021-06-08 05:00 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Huber 2020-11-18 11:58:55 UTC
Ocaml version <4.09.0 suffers from GLSA 202007-48. On the other hand, the current stable version ocaml-4.09.0 uses a different marshaling format, which makes unison built against it incompatible with the unison shipped by Debian Buster, for instance. The latest ocaml version that works for this use case is ocaml-4.05.0-r1. (I cannot remember whether ocaml-4.04.2-r1 also does.)

Now, while unison relying on the ocaml marshaling mechanism is an issue for itself [1], I would still propose to investigate into fixing GLSA 202007-48 for ocaml-4.05.0-r1 for unison users that synchronize with other Debian Buster (and probably some others).


Reproducible: Always
Comment 1 Stefan Huber 2020-11-18 12:20:34 UTC
Debian has fixed this issue with 4.05.0-11, see [1]. According to [1], the patch that was used is this [2] one. I have applied the patch [2] to ocaml-4.05.0-r1, which builds fine and unison works, too.


P.S. Note that GLSA 202007-48 actually concerns the very same marshaling mechanisms, that stops unison users from upgrading to ocaml-4.09.0.
Comment 2 Stefan Huber 2020-11-30 08:09:57 UTC
I just realized that unison (all versions) fails to build due to undefined reference to `caml_umul_overflow`. The following patch, however, changes the call to caml_umul_overflow in the patch to a call to caml_ba_multov:

Unison 2.48.15_p4-r2 and 2.51.3_p20201024 compiles against dev-lang/ocaml-4.05.0-r1 with the proposed patch applied.
Comment 3 Larry the Git Cow gentoo-dev 2020-12-20 18:43:12 UTC
The bug has been referenced in the following commit(s):

commit 73b6349cc23be7639100ff7f759516d6e28157a8
Author:     Sam James <>
AuthorDate: 2020-12-20 18:41:02 +0000
Commit:     Sam James <>
CommitDate: 2020-12-20 18:43:08 +0000

    dev-ml/findlib: lower the minimum OCaml version
    Some users still need an older version of OCaml for
    e.g. Unison where there are compatibility issues
    we need to handle.
    Thanks-to: Stefan Huber <>
    Package-Manager: Portage-3.0.9, Repoman-3.0.2
    Signed-off-by: Sam James <>

 .../findlib/{findlib-1.8.1-r1.ebuild => findlib-1.8.1-r2.ebuild}   | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)
Comment 4 Larry the Git Cow gentoo-dev 2021-06-08 04:59:17 UTC
The bug has been closed via the following commit(s):

commit 34b06d35218d9e444050526511da10962ea72c2f
Author:     Sam James <>
AuthorDate: 2021-06-08 04:58:53 +0000
Commit:     Sam James <>
CommitDate: 2021-06-08 04:59:09 +0000

    dev-lang/ocaml: add CVE-2018-9838 patch to 4.05.0
    Signed-off-by: Sam James <>

 .../ocaml/files/ocaml-4.05.0-CVE-2018-9838.patch   |  70 ++++++++++
 dev-lang/ocaml/ocaml-4.05.0-r4.ebuild              | 143 +++++++++++++++++++++
 2 files changed, 213 insertions(+)