Date: Fri, 29 Apr 2016 10:49:11 -0400 (EDT) From: cve-assign@...re.org To: cuoq@...st-in-soft.com Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: buffer overflow and information leak in OCaml < 4.03.0 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > OCaml versions 4.02.3 and earlier have a runtime bug that, on 64-bit > platforms, causes sizes arguments to an internal memmove call to be > sign-extended from 32 to 64-bits before being passed to the memmove > function. > > This leads arguments between 2GiB and 4GiB to be interpreted as larger > than they are (specifically, a bit below 2^64), causing a buffer > overflow. > > Arguments between 4GiB and 6GiB are interpreted as 4GiB smaller than > they should be, causing a possible information leak. > > This commit fixes the bug: > https://github.com/ocaml/ocaml/commit/659615c7b100a89eafe6253e7a5b9d84d0e8df74#diff-a97df53e3ebc59bb457191b496c90762 > The function caml_bit_string is called indirectly from such functions > as String.copy. String.copy for instance is supposed to be a "safe" > function for which OCaml's memory safety guarantees apply. Use CVE-2015-8869. (We consider this a single "to be sign-extended from 32 to 64" issue even though there are two different types of impacts. Also, the structure of the code change ("Int_val" replaced by "Long_val") is the same everywhere. We did not consider it worthwhile to sort through the possible "independently encountered" aspects as mentioned, for example, in the https://github.com/ocaml/ocaml/commit/659615c7b100a89eafe6253e7a5b9d84d0e8df74#commitcomment-14040616 comment.) - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJXI3NXAAoJEHb/MwWLVhi2RdEQAI71I2vgUNPxtIPV5muuzuT/ BGlgZLTiWI6HgmFvV7mRtNonvKockAP150f7cArfGgsG13DVViE45IYCk4WHacnW aTfRtbPYBZ+eawApm1tWmSxXi4Idt2sSBPXxnA46vwKUZo3oDG8p0oxEanZ1O1Y6 v+zAL4vVNq+IdSnpPzwM368C/gc1KDBM0uLu7qVoV6E2qHriWXpWpEZ7MGqab5Dv 2/8ZhpdAnZDVzMSzGbKY+h1k1JjwWnIx3WmWzU65JKF3ccDtLyWy+LaRT5D63d/K f5orQDKfJyxc9UQIa+TH4waYQZ64f1xb5haTZaQv8tJVxlwVKD0vVk/eVrlN/r1e XXbtknwlMcWLf30hKqzOcDwAfWf2rPtUk5h6PotFVR42esLTTDg7BlIjYFilBXw0 AlVyDrZ4cBlnd3ZeeyJW2moEoErRlnYFrqdijjIBmHPokoPVAOUcfcU2saBfkFqP suYLBcMHrpvitrr4V5yu5T2ZYZI9DtEse+z3Oe+wupCemyfoXXcGvX7Kwz0j4oIk bFDuuKtNpo4do+2JkCwbczGwIGAyW20rBbyJqkMMGI1c3VlY/rzn8hES3ltKjVND 1WShu2c9wwyIhhYUKuacdx8RvuZinNBAlmkWdpNUI33XsVXmdRiEhjB+RGyvqv/X a2JgvU+8pOLRMJsRX7CA =BBAV -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ