Date: Fri, 23 Jun 2017 17:33:39 +0100 From: Anil Madhavapeddy <anil@...oil.org> To: Leo Famulari <leo@...ulari.name> Cc: oss-security@...ts.openwall.com, Damien Doligez <damien.doligez@...ia.fr> Subject: Re: CVE-2017-9772: OCaml release 4.04.2 Hi Leo, The ocaml.org <http://ocaml.org/> site is just being rebuilt in CI so it will be a few minutes before the release is on the live site. In the meanwhile, all the distribution tarballs are available at: https://caml.inria.fr/pub/distrib/ocaml-4.04/ <https://caml.inria.fr/pub/distrib/ocaml-4.04/> regards, Anil > On 23 Jun 2017, at 17:24, Leo Famulari <leo@...ulari.name> wrote: > > Hi Anil, > > Can you tell us where to get OCaml 4.04.2? It's not available here: > > https://ocaml.org/releases/ > > On Fri, Jun 23, 2017 at 04:28:28PM +0100, Anil Madhavapeddy wrote: >> Anyone packaging OCaml 4.04.0 or OCaml 4.04.1 and installing setuid binaries >> with it should be aware of this CVE, and upgrade their distribution packaging >> accordingly. Please get in touch with me if you are having any issues with >> upgrading to the latest OCaml 4.04.2. >> >> Anil >> >>> Begin forwarded message: >>> >>> From: Damien Doligez <Damien.Doligez@...ia.fr> >>> Subject: [Caml-list] OCaml release 4.04.2 >>> Date: 23 June 2017 at 16:18:44 BST >>> To: caml announce <caml-announce@...ia.fr>, caml users <caml-list@...ia.fr> >>> Reply-To: Damien Doligez <Damien.Doligez@...ia.fr> >>> >>> >>> Dear OCaml users, >>> >>> We have the pleasure of celebrating the birthday of Alan Turing by >>> announcing the release of OCaml version 4.04.2. >>> >>> This minor release fixes the security issue described in >>> CVE-2017-9772 (included below). >>> >>> All users should eventually upgrade to 4.04.2 from 4.04.0 and 4.04.1. >>> Any user who produces setuid programs with OCaml should read the CVE >>> and upgrade immediately. >>> >>> It is available as an OPAM switch, or as a source download here: >>> https://caml.inria.fr/pub/distrib/ocaml-4.04/ >>> https://github.com/ocaml/ocaml/archive/4.04.2.tar.gz >>> >>> Happy hacking, >>> >>> -- Damien Doligez for the OCaml team. >>> >>> >>> OCaml 4.04.2 (23 Jun 2017): >>> --------------------------- >>> >>> ### Security fix: >>> >>> - PR#7557: Local privilege escalation issue with ocaml binaries. >>> (Damien Doligez, report by Eric Milliken, review by Xavier Leroy) >>> >>> -------------------------------------------------------------------- >>> >>> CVE-2017-9772: Privilege escalation in OCaml runtime for SUID executables >>> >>> The environment variables CAML_CPLUGINS, CAML_NATIVE_CPLUGINS, and >>> CAML_BYTE_CPLUGINS can be used to auto-load code into any ocamlopt-compiled >>> executable or any ocamlc-compiled executable in ‘custom runtime mode’. >>> This can lead to privilege escalation if the executable is marked setuid. >>> >>> Vulnerable versions: OCaml 4.04.0 and 4.04.1 >>> >>> Workarounds: >>> - Upgrade to OCaml 4.04.2 or higher. >>> or - Compile the OCaml distribution with the "-no-cplugins" configure option. >>> or - OPAM users can "opam update && opam switch recompile 4.04.1", as >>> the repository has had backported patches applied. >>> >>> Impact: This only affects binaries that have been installed on Unix-like >>> operating systems (including Linux and macOS) with the setuid bit set. >>> However, in that situation, any user who execute the program gains all >>> the privileges of the owner of the executable (meaning that root-owned >>> setuid executables provide root access). >>> >>> Fix: OCaml 4.04.2 mitigates this by modifying Sys.getenv and Unix.getenv >>> to raise an exception if the process has ever had elevated privileges. >>> The OCaml runtime has also been modified to use this function for >>> retrieving all of the runtime environment variables which could potentially >>> cause files to be accessed or modified. The older behaviour is available >>> in Sys.unsafe_getenv for applications that require strict compatibility. >>> >>> Credits: This was originally reported by Eric Milliken on the OCaml Mantis >>> bug tracker. https://caml.inria.fr/mantis/view.php?id=7557 >>> >>> References: see CVE-2017-9779 for a lesser vulnerability in older versions. >>> >>> CVSS v2 Vector: >>> AV:L/AC:L/Au:S/C:C/I:C/A:N/E:F/RL:OF/RC:C/CDP:H/TD:L/CR:H/IR:H/AR:L >>> CWE ID: 114 >>> >>> >>> -- >>> Caml-list mailing list. Subscription management and archives: >>> https://sympa.inria.fr/sympa/arc/caml-list >>> Beginner's list: http://groups.yahoo.com/group/ocaml_beginners >>> Bug reports: http://caml.inria.fr/bin/caml-bugs >>
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ