Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 622544 (CVE-2017-9772) - <dev-lang/ocaml-4.04.2: Privilege escalation in OCaml runtime for SUID executables
Summary: <dev-lang/ocaml-4.04.2: Privilege escalation in OCaml runtime for SUID execut...
Status: RESOLVED FIXED
Alias: CVE-2017-9772
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B1 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-06-23 16:53 UTC by Kristian Fiskerstrand (RETIRED)
Modified: 2017-10-08 14:05 UTC (History)
1 user (show)

See Also:
Package list:
dev-lang/ocaml-4.04.2
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Kristian Fiskerstrand (RETIRED) gentoo-dev 2017-06-23 16:53:56 UTC
Anyone packaging OCaml 4.04.0 or OCaml 4.04.1 and installing setuid binaries
with it should be aware of this CVE, and upgrade their distribution packaging
accordingly.  Please get in touch with me if you are having any issues with
upgrading to the latest OCaml 4.04.2.

Anil

> Begin forwarded message:
> 
> From: Damien Doligez <Damien.Doligez@...ia.fr>
> Subject: [Caml-list] OCaml release 4.04.2
> Date: 23 June 2017 at 16:18:44 BST
> To: caml announce <caml-announce@...ia.fr>, caml users <caml-list@...ia.fr>
> Reply-To: Damien Doligez <Damien.Doligez@...ia.fr>
> 
> 
> Dear OCaml users,
> 
> We have the pleasure of celebrating the birthday of Alan Turing by
> announcing the release of OCaml version 4.04.2.
> 
> This minor release fixes the security issue described in
> CVE-2017-9772 (included below).
> 
> All users should eventually upgrade to 4.04.2 from 4.04.0 and 4.04.1.
> Any user who produces setuid programs with OCaml should read the CVE
> and upgrade immediately.
> 
> It is available as an OPAM switch, or as a source download here:
>  https://caml.inria.fr/pub/distrib/ocaml-4.04/
>  https://github.com/ocaml/ocaml/archive/4.04.2.tar.gz
> 
> Happy hacking,
> 
> -- Damien Doligez for the OCaml team.
> 
> 
> OCaml 4.04.2 (23 Jun 2017):
> ---------------------------
> 
> ### Security fix:
> 
> - PR#7557: Local privilege escalation issue with ocaml binaries.
>  (Damien Doligez, report by Eric Milliken, review by Xavier Leroy)
> 
> --------------------------------------------------------------------
> 
> CVE-2017-9772: Privilege escalation in OCaml runtime for SUID executables
> 
> The environment variables CAML_CPLUGINS, CAML_NATIVE_CPLUGINS, and
> CAML_BYTE_CPLUGINS can be used to auto-load code into any ocamlopt-compiled
> executable or any ocamlc-compiled executable in ‘custom runtime mode’.
> This can lead to privilege escalation if the executable is marked setuid.
> 
> Vulnerable versions: OCaml 4.04.0 and 4.04.1
> 
> Workarounds:
>   - Upgrade to OCaml 4.04.2 or higher.
> or - Compile the OCaml distribution with the "-no-cplugins" configure option.
> or - OPAM users can "opam update && opam switch recompile 4.04.1", as
>     the repository has had backported patches applied.
> 
> Impact: This only affects binaries that have been installed on Unix-like
> operating systems (including Linux and macOS) with the setuid bit set.
> However, in that situation, any user who execute the program gains all
> the privileges of the owner of the executable (meaning that root-owned
> setuid executables provide root access).
> 
> Fix: OCaml 4.04.2 mitigates this by modifying Sys.getenv and Unix.getenv
> to raise an exception if the process has ever had elevated privileges.
> The OCaml runtime has also been modified to use this function for
> retrieving all of the runtime environment variables which could potentially
> cause files to be accessed or modified.  The older behaviour is available
> in Sys.unsafe_getenv for applications that require strict compatibility.
> 
> Credits: This was originally reported by Eric Milliken on the OCaml Mantis
> bug tracker. https://caml.inria.fr/mantis/view.php?id=7557
> 
> References: see CVE-2017-9779 for a lesser vulnerability in older versions.
> 
> CVSS v2 Vector:
> AV:L/AC:L/Au:S/C:C/I:C/A:N/E:F/RL:OF/RC:C/CDP:H/TD:L/CR:H/IR:H/AR:L
> CWE ID: 114
> 
> 
> -- 
> Caml-list mailing list.  Subscription management and archives:
> https://sympa.inria.fr/sympa/arc/caml-list
> Beginner's list: http://groups.yahoo.com/group/ocaml_beginners
> Bug reports: http://caml.inria.fr/bin/caml-bugs
Comment 1 Alexis Ballier gentoo-dev 2017-06-25 14:43:58 UTC
4.04.2 is in tree and should be ready for being stabilized



I've checked my system for setuid binaries and found nothing built by ocaml but I might have missed some.
Comment 2 Thomas Deutschmann gentoo-dev Security 2017-06-28 13:39:50 UTC
(In reply to Alexis Ballier from comment #1)
> I've checked my system for setuid binaries and found nothing built by ocaml
> but I might have missed some.

For the GLSA we would need at least a way to identify binaries built by ocaml...



@ Arches,

please test and mark stable: =dev-lang/ocaml-4.04.2
Comment 3 Alexis Ballier gentoo-dev 2017-06-28 14:11:38 UTC
(In reply to Thomas Deutschmann from comment #2)
> (In reply to Alexis Ballier from comment #1)
> > I've checked my system for setuid binaries and found nothing built by ocaml
> > but I might have missed some.
> 
> For the GLSA we would need at least a way to identify binaries built by
> ocaml...

Note: Everything built with ocaml must have := dep on it so will be rebuilt with latest version automatically.
Comment 4 Agostino Sarubbo gentoo-dev 2017-06-29 08:07:18 UTC
amd64 stable
Comment 5 Sergei Trofimovich (RETIRED) gentoo-dev 2017-06-30 08:15:08 UTC
ia64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2017-06-30 11:12:17 UTC
x86 stable
Comment 7 Markus Meier gentoo-dev 2017-07-07 06:18:17 UTC
arm stable
Comment 8 Agostino Sarubbo gentoo-dev 2017-07-07 09:11:25 UTC
sparc stable
Comment 9 Agostino Sarubbo gentoo-dev 2017-07-07 13:26:31 UTC
ppc stable
Comment 10 Agostino Sarubbo gentoo-dev 2017-07-07 14:52:03 UTC
ppc64 stable
Comment 11 Tobias Klausmann gentoo-dev 2017-07-16 11:11:54 UTC
Stable on alpha.
Comment 12 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-08-17 00:36:35 UTC
Arches, please finish stabilizing hppa

Gentoo Security Padawan
ChrisADR
Comment 13 Sergei Trofimovich (RETIRED) gentoo-dev 2017-09-27 09:38:21 UTC
hppa stable
Comment 14 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-09-27 11:54:07 UTC
GLSA request opened.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2017-10-08 14:05:31 UTC
This issue was resolved and addressed in
 GLSA 201710-07 at https://security.gentoo.org/glsa/201710-07
by GLSA coordinator Aaron Bauman (b-man).