| Summary: | ocaml new security issue CVE-2018-9838 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, davidwhodgins, geiger.david68210, herman.viaene, marja11, nicolas.salguero, sysadmin-bugs |
| Version: | 6 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA6-32-OK | ||
| Source RPM: | ocaml-4.02.3-6.mga6.src.rpm | CVE: | CVE-2018-9838 |
| Status comment: | Patches available from openSUSE and upstream | ||
|
Description
David Walser
2018-04-24 22:54:21 CEST
David Walser
2018-04-24 22:54:28 CEST
Whiteboard:
(none) =>
MGA6TOO Assigning to all pkgrs collectively, since there is no registered maintainer for this pkg CC:
(none) =>
marja11
David Walser
2018-05-04 08:28:14 CEST
Status comment:
(none) =>
Patches available from openSUSE and upstream David Geiger fixed this in Cauldron in ocaml-4.06.0-4.mga7 on May 5. Version:
Cauldron =>
6 openSUSE advisory for this on June 6: https://lists.opensuse.org/opensuse-updates/2018-06/msg00016.html Suggested advisory: ======================== The updated packages fix a security vulnerability: The caml_ba_deserialize function in byterun/bigarray.c in the standard library in OCaml 4.06.0 has an integer overflow which, in situations where marshalled data is accepted from an untrusted source, allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a crafted object. (CVE-2018-9838) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9838 https://lists.opensuse.org/opensuse-updates/2018-04/msg00070.html https://bugzilla.suse.com/show_bug.cgi?id=1088591 https://lists.opensuse.org/opensuse-updates/2018-06/msg00016.html ======================== Updated packages in core/updates_testing: ======================== ocaml-4.02.3-6.1.mga6 ocaml-compiler-4.02.3-6.1.mga6 ocaml-doc-4.02.3-6.1.mga6 ocaml-x11-4.02.3-6.1.mga6 ocaml-sources-4.02.3-6.1.mga6 ocaml-compiler-libs-4.02.3-6.1.mga6 from SRPMS: ocaml-4.02.3-6.1.mga6.src.rpm CC:
(none) =>
nicolas.salguero MGA6-32 MATE on IBM Thinkpad R50e No installation issues Found in bug 18296 link to http://ocaml.org/learn/tutorials/basics.html and did two simple tests: $ ocaml OCaml version 4.02.3 # 1+1;; - : int = 2 and $ mkdir my_ocamlproject $ cd my_ocamlproject $ echo 'let () = print_endline "Hello, World!"' > my_prog.ml $ ls my_prog.ml $ more my_prog.ml let () = print_endline "Hello, World!" $ ocamlbuild my_prog.native Finished, 4 targets (0 cached) in 00:00:01. $ ./my_prog.native Hello, World! That all looks OK. Whiteboard:
(none) =>
MGA6-32-OK Out of my depth here, so checking 64-bit for installation issues only. Had to install ocaml and dependencies, no issues. Used the list from Comment 4 in qarepo, resulting in updates for ocaml, ocaml-compiler, and ocaml-x11. Again, no installation issues. Validating. Advisory in Comment 4. Keywords:
(none) =>
validated_update
Dave Hodgins
2019-04-04 15:32:28 CEST
Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0124.html Resolution:
(none) =>
FIXED |