oss-sec mailing list archives
Re: CVE-2017-9772: OCaml release 4.04.2
From: Anil Madhavapeddy <anil () recoil org>
Date: Fri, 23 Jun 2017 17:33:39 +0100
Hi Leo, The ocaml.org <http://ocaml.org/> site is just being rebuilt in CI so it will be a few minutes before the release is on the live site. In the meanwhile, all the distribution tarballs are available at: https://caml.inria.fr/pub/distrib/ocaml-4.04/ <https://caml.inria.fr/pub/distrib/ocaml-4.04/> regards, Anil
On 23 Jun 2017, at 17:24, Leo Famulari <leo () famulari name> wrote: Hi Anil, Can you tell us where to get OCaml 4.04.2? It's not available here: https://ocaml.org/releases/ On Fri, Jun 23, 2017 at 04:28:28PM +0100, Anil Madhavapeddy wrote:Anyone packaging OCaml 4.04.0 or OCaml 4.04.1 and installing setuid binaries with it should be aware of this CVE, and upgrade their distribution packaging accordingly. Please get in touch with me if you are having any issues with upgrading to the latest OCaml 4.04.2. AnilBegin forwarded message: From: Damien Doligez <Damien.Doligez () inria fr> Subject: [Caml-list] OCaml release 4.04.2 Date: 23 June 2017 at 16:18:44 BST To: caml announce <caml-announce () inria fr>, caml users <caml-list () inria fr> Reply-To: Damien Doligez <Damien.Doligez () inria fr> Dear OCaml users, We have the pleasure of celebrating the birthday of Alan Turing by announcing the release of OCaml version 4.04.2. This minor release fixes the security issue described in CVE-2017-9772 (included below). All users should eventually upgrade to 4.04.2 from 4.04.0 and 4.04.1. Any user who produces setuid programs with OCaml should read the CVE and upgrade immediately. It is available as an OPAM switch, or as a source download here: https://caml.inria.fr/pub/distrib/ocaml-4.04/ https://github.com/ocaml/ocaml/archive/4.04.2.tar.gz Happy hacking, -- Damien Doligez for the OCaml team. OCaml 4.04.2 (23 Jun 2017): --------------------------- ### Security fix: - PR#7557: Local privilege escalation issue with ocaml binaries. (Damien Doligez, report by Eric Milliken, review by Xavier Leroy) -------------------------------------------------------------------- CVE-2017-9772: Privilege escalation in OCaml runtime for SUID executables The environment variables CAML_CPLUGINS, CAML_NATIVE_CPLUGINS, and CAML_BYTE_CPLUGINS can be used to auto-load code into any ocamlopt-compiled executable or any ocamlc-compiled executable in ‘custom runtime mode’. This can lead to privilege escalation if the executable is marked setuid. Vulnerable versions: OCaml 4.04.0 and 4.04.1 Workarounds: - Upgrade to OCaml 4.04.2 or higher. or - Compile the OCaml distribution with the "-no-cplugins" configure option. or - OPAM users can "opam update && opam switch recompile 4.04.1", as the repository has had backported patches applied. Impact: This only affects binaries that have been installed on Unix-like operating systems (including Linux and macOS) with the setuid bit set. However, in that situation, any user who execute the program gains all the privileges of the owner of the executable (meaning that root-owned setuid executables provide root access). Fix: OCaml 4.04.2 mitigates this by modifying Sys.getenv and Unix.getenv to raise an exception if the process has ever had elevated privileges. The OCaml runtime has also been modified to use this function for retrieving all of the runtime environment variables which could potentially cause files to be accessed or modified. The older behaviour is available in Sys.unsafe_getenv for applications that require strict compatibility. Credits: This was originally reported by Eric Milliken on the OCaml Mantis bug tracker. https://caml.inria.fr/mantis/view.php?id=7557 References: see CVE-2017-9779 for a lesser vulnerability in older versions. CVSS v2 Vector: AV:L/AC:L/Au:S/C:C/I:C/A:N/E:F/RL:OF/RC:C/CDP:H/TD:L/CR:H/IR:H/AR:L CWE ID: 114 -- Caml-list mailing list. Subscription management and archives: https://sympa.inria.fr/sympa/arc/caml-list Beginner's list: http://groups.yahoo.com/group/ocaml_beginners Bug reports: http://caml.inria.fr/bin/caml-bugs
Current thread:
- CVE-2017-9772: OCaml release 4.04.2 Anil Madhavapeddy (Jun 23)
- Re: CVE-2017-9772: OCaml release 4.04.2 Leo Famulari (Jun 23)
- Re: CVE-2017-9772: OCaml release 4.04.2 Anil Madhavapeddy (Jun 23)
- Re: CVE-2017-9772: OCaml release 4.04.2 Leo Famulari (Jun 23)
- Re: CVE-2017-9772: OCaml release 4.04.2 Leo Famulari (Jun 23)