Date: Fri, 29 Apr 2016 10:49:11 -0400 (EDT) From: cve-assign@...re.org To: cuoq@...st-in-soft.com Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: buffer overflow and information leak in OCaml < 4.03.0 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > OCaml versions 4.02.3 and earlier have a runtime bug that, on 64-bit > platforms, causes sizes arguments to an internal memmove call to be > sign-extended from 32 to 64-bits before being passed to the memmove > function. > > This leads arguments between 2GiB and 4GiB to be interpreted as larger > than they are (specifically, a bit below 2^64), causing a buffer > overflow. > > Arguments between 4GiB and 6GiB are interpreted as 4GiB smaller than > they should be, causing a possible information leak. > > This commit fixes the bug: > https://github.com/ocaml/ocaml/commit/659615c7b100a89eafe6253e7a5b9d84d0e8df74#diff-a97df53e3ebc59bb457191b496c90762 > The function caml_bit_string is called indirectly from such functions > as String.copy. String.copy for instance is supposed to be a "safe" > function for which OCaml's memory safety guarantees apply. Use CVE-2015-8869. (We consider this a single "to be sign-extended from 32 to 64" issue even though there are two different types of impacts. Also, the structure of the code change ("Int_val" replaced by "Long_val") is the same everywhere. We did not consider it worthwhile to sort through the possible "independently encountered" aspects as mentioned, for example, in the https://github.com/ocaml/ocaml/commit/659615c7b100a89eafe6253e7a5b9d84d0e8df74#commitcomment-14040616 comment.) - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJXI3NXAAoJEHb/MwWLVhi2RdEQAI71I2vgUNPxtIPV5muuzuT/ BGlgZLTiWI6HgmFvV7mRtNonvKockAP150f7cArfGgsG13DVViE45IYCk4WHacnW aTfRtbPYBZ+eawApm1tWmSxXi4Idt2sSBPXxnA46vwKUZo3oDG8p0oxEanZ1O1Y6 v+zAL4vVNq+IdSnpPzwM368C/gc1KDBM0uLu7qVoV6E2qHriWXpWpEZ7MGqab5Dv 2/8ZhpdAnZDVzMSzGbKY+h1k1JjwWnIx3WmWzU65JKF3ccDtLyWy+LaRT5D63d/K f5orQDKfJyxc9UQIa+TH4waYQZ64f1xb5haTZaQv8tJVxlwVKD0vVk/eVrlN/r1e XXbtknwlMcWLf30hKqzOcDwAfWf2rPtUk5h6PotFVR42esLTTDg7BlIjYFilBXw0 AlVyDrZ4cBlnd3ZeeyJW2moEoErRlnYFrqdijjIBmHPokoPVAOUcfcU2saBfkFqP suYLBcMHrpvitrr4V5yu5T2ZYZI9DtEse+z3Oe+wupCemyfoXXcGvX7Kwz0j4oIk bFDuuKtNpo4do+2JkCwbczGwIGAyW20rBbyJqkMMGI1c3VlY/rzn8hES3ltKjVND 1WShu2c9wwyIhhYUKuacdx8RvuZinNBAlmkWdpNUI33XsVXmdRiEhjB+RGyvqv/X a2JgvU+8pOLRMJsRX7CA =BBAV -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.