Bug 22948 - ocaml new security issue CVE-2018-9838
Summary: ocaml new security issue CVE-2018-9838
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-32-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-04-24 22:54 CEST by David Walser
Modified: 2019-04-05 20:14 CEST (History)
7 users (show)

See Also:
Source RPM: ocaml-4.02.3-6.mga6.src.rpm
CVE: CVE-2018-9838
Status comment: Patches available from openSUSE and upstream


Attachments

Description David Walser 2018-04-24 22:54:21 CEST
openSUSE has issued an advisory today (April 24):
https://lists.opensuse.org/opensuse-updates/2018-04/msg00070.html

Mageia 5 and Mageia 6 are also affected.

The SUSE bug has details:
https://bugzilla.suse.com/show_bug.cgi?id=1088591
David Walser 2018-04-24 22:54:28 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2018-04-25 09:06:24 CEST
Assigning to all pkgrs collectively, since there is no registered maintainer for this pkg

CC: (none) => marja11
Assignee: bugsquad => pkg-bugs

David Walser 2018-05-04 08:28:14 CEST

Status comment: (none) => Patches available from openSUSE and upstream

Comment 2 David Walser 2018-06-03 21:15:02 CEST
David Geiger fixed this in Cauldron in ocaml-4.06.0-4.mga7 on May 5.

Whiteboard: MGA6TOO => (none)
Version: Cauldron => 6
CC: (none) => geiger.david68210

Comment 3 David Walser 2018-06-07 23:34:50 CEST
openSUSE advisory for this on June 6:
https://lists.opensuse.org/opensuse-updates/2018-06/msg00016.html
Comment 4 Nicolas Salguero 2019-03-13 14:17:20 CET
Suggested advisory:
========================

The updated packages fix a security vulnerability:

The caml_ba_deserialize function in byterun/bigarray.c in the standard library in OCaml 4.06.0 has an integer overflow which, in situations where marshalled data is accepted from an untrusted source, allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a crafted object. (CVE-2018-9838)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9838
https://lists.opensuse.org/opensuse-updates/2018-04/msg00070.html
https://bugzilla.suse.com/show_bug.cgi?id=1088591
https://lists.opensuse.org/opensuse-updates/2018-06/msg00016.html
========================

Updated packages in core/updates_testing:
========================
ocaml-4.02.3-6.1.mga6
ocaml-compiler-4.02.3-6.1.mga6
ocaml-doc-4.02.3-6.1.mga6
ocaml-x11-4.02.3-6.1.mga6
ocaml-sources-4.02.3-6.1.mga6
ocaml-compiler-libs-4.02.3-6.1.mga6

from SRPMS:
ocaml-4.02.3-6.1.mga6.src.rpm

Assignee: pkg-bugs => qa-bugs
Source RPM: ocaml-4.06.0-3.mga7.src.rpm => ocaml-4.02.3-6.mga6.src.rpm
CVE: (none) => CVE-2018-9838
Status: NEW => ASSIGNED
CC: (none) => nicolas.salguero

Comment 5 Herman Viaene 2019-03-17 11:32:24 CET
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues
Found in bug 18296 link to http://ocaml.org/learn/tutorials/basics.html and did two simple tests:
$ ocaml
        OCaml version 4.02.3
# 1+1;;
- : int = 2

and
$  mkdir my_ocamlproject
$  cd my_ocamlproject
$ echo 'let () = print_endline "Hello, World!"' > my_prog.ml
$ ls
my_prog.ml
$ more my_prog.ml 
let () = print_endline "Hello, World!"
$ ocamlbuild my_prog.native
Finished, 4 targets (0 cached) in 00:00:01.
$ ./my_prog.native
Hello, World!

That all looks OK.

Whiteboard: (none) => MGA6-32-OK
CC: (none) => herman.viaene

Comment 6 Thomas Andrews 2019-04-03 03:51:31 CEST
Out of my depth here, so checking 64-bit for installation issues only.

Had to install ocaml and dependencies, no issues. Used the list from Comment 4 in qarepo, resulting in updates for ocaml, ocaml-compiler, and ocaml-x11. Again, no installation issues.

Validating. Advisory in Comment 4.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2019-04-04 15:32:28 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 7 Mageia Robot 2019-04-05 20:14:11 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0124.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.