OCaml CVE-2015-8869

DoneSubmitted by Leo Famulari.
Details
6 participants
  • Andreas Enge
  • Ben Woodcroft
  • Julien Lepiller
  • Leo Famulari
  • Ludovic Courtès
  • swedebugia
Owner
unassigned
Severity
normal
L
L
Leo Famulari wrote on 23 Jun 2017 18:41
OCaml CVE-2015-8869
(address . bug-guix@gnu.org)
20170623164129.GA4417@jasmine.lan
Our package ocaml-4.01 is vulnerable to CVE-2015-8869, which we patchedin the primary ocaml package in April 2016. Unfortunately, this patchwas not included when the ocaml-4.01 package was created in January2017.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8869
Do we need this older version of OCaml? If so, we need a volunteer tomaintain it.
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAllNRLkACgkQJkb6MLrKfwj7iBAApfFEXyT3GtGhl6f1H2JaDeFv6ckXtJ+fn2ZZIEtD3sC7x3dyRhZekDKzcPRv9GHwB7jdmrNm9xwlYrWs58t3hE7k2u8+bBVGdoPruysyt3z+FY3VGyr3WG8rFPqNLYKK+V2iPEibehBg1s0Y8+V1oYDUQoa5Za2lNvQCimt0cZ6pT+W519bqqckGeywFYUnT80dKR5B1IOUoSVip0pK9cSoVBpA6tZzB+HzUYN+A/HgRsIUf3pCskpbSBwFAC4ySCGjiexxIgAw/yQNmRSem8JpIRxlZ3UOqwjN9yW76H0ZY0AQWT56VVvslLFAuOXy91lDjV4x0kzcvhfUgMyRgDPLBO70fi3tiasKvp650f57Ur8AJ1Wb1eTfwLip2hzoj/dpSp/ynFqWP0HPwErb6jEObYapByKtz7LpWb7hBPy9bmgA9TFYri+WttjpIeOpn7DMRQ0ynOZdlGEJhW75eyj5CyDCf4g1+sNbk67faBAnflPFKxm51g0MkUiLmkMa1v2lM6fMHsgY7tVid2mBbczbO0ItuuCJ8SEyTdTXHIf6pB3IhYAnZ72dreK+Bbx7J3qEJYAkINHmfKsvDv8l0OUQ9+3wJa6U9GyawVSlTaUzkuxgN+vYB/IYBaFUmaihSG7+fK8i7iGcV7mgPtyMUbvJdpi0ODWz95I5BfJ2YUGU==xkqn-----END PGP SIGNATURE-----

B
B
Ben Woodcroft wrote on 24 Jun 2017 02:25
Re: bug#27462: OCaml CVE-2015-8869
faae92d6-1f30-9e7f-4e56-f7c69a794388@uq.edu.au
Hi Leo,

On 24/06/17 02:41, Leo Famulari wrote:
Toggle quote (10 lines)> Our package ocaml-4.01 is vulnerable to CVE-2015-8869, which we patched> in the primary ocaml package in April 2016. Unfortunately, this patch> was not included when the ocaml-4.01 package was created in January> 2017.>> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8869>> Do we need this older version of OCaml? If so, we need a volunteer to> maintain it.
Thanks for pointing this out. AFAIK OCaml 4.01 is really only used to build pplacer, a bioinformatics program. I was planning on submitting 3 further bioinformatic packages soon which rely on pplacer, however.
I'm not sure I have the bandwidth to backport patches to such an old release, especially since the OCaml maintainers do not appear to be either, AFAICS.
This is a little frustrating, but perhaps they should be removed. WDYT?
ben
L
L
Leo Famulari wrote on 24 Jun 2017 18:03
(name . Ben Woodcroft)(address . b.woodcroft@uq.edu.au)(address . 27462@debbugs.gnu.org)
20170624160304.GA10364@jasmine.lan
On Sat, Jun 24, 2017 at 10:25:52AM +1000, Ben Woodcroft wrote:
Toggle quote (21 lines)> On 24/06/17 02:41, Leo Famulari wrote:> > Our package ocaml-4.01 is vulnerable to CVE-2015-8869, which we patched> > in the primary ocaml package in April 2016. Unfortunately, this patch> > was not included when the ocaml-4.01 package was created in January> > 2017.> > > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8869> > > > Do we need this older version of OCaml? If so, we need a volunteer to> > maintain it.> > Thanks for pointing this out. AFAIK OCaml 4.01 is really only used to build> pplacer, a bioinformatics program. I was planning on submitting 3 further> bioinformatic packages soon which rely on pplacer, however.> > I'm not sure I have the bandwidth to backport patches to such an old> release, especially since the OCaml maintainers do not appear to be either,> AFAICS.> > This is a little frustrating, but perhaps they should be removed. WDYT?
That is a last resort :)
We should check if another distro has a patch for OCaml 4.01, if we canbackport the patch, if pplacer can use a newer OCaml, and only thenconsider removing the packages.
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAllOjTUACgkQJkb6MLrKfwgSKQ//aoiWbnyCnqhrYiyAuLIzKqeETBMkJ6pC15WwSkVhbgevPtS8lwh5h/4PzQVzjF6GaWv4Z5R0CmeJj4bJfEAmy/KVF8jmYt7k5RLm1xPMQwTB5sPMDrxJYP2A9ulznVmgaCNu3OMS/RbbF/oir5w5wDpvfSUR2gQYgv+rmKaFnyasHcj8NuORYzPUmn91KRvyvGspxrN0a2c1lC7GxHOPP25BhOH0drj2qw7vsYqciS8TWKYD2z2JXOKDAAsTg/5V49SI77sQiNcb+DP4pLSfRhnRoAHmJofY+1RPfVBds32XUUkH27G22ra62kod8G/bFi5howelqkJue3WjOF+xhh9rC/4NaDDZfHEgpMF5Jb7QjWLA+b3Gv1XdTi57UYHLCCbT1/9g4q1XOzwhd2QVAucNgZPf6b5MwFneQpdk/fzB5579piq0MscImgxjL2yLz8smyRi5s/4z2V8HCizhxjqnxQA8d4p0g5O6qZSp8nrNu1oeeptGWfb1bVVeciwBjKHpTYAqkqp4BQ7ydr2zSj0anj+75AgrA+nDMISuALuFZAHjAsMDOCdiftfqI21rNlxFwyEkHJ6fcPyUPrmj8rL/qiCcRZWvi+RlMvxekIRpEaUl7d3YP8uA7ptVtpSffUoiMHnBipJlo9CSs/htOPwflB22C97ApmkHh0nVPhc==Vk0b-----END PGP SIGNATURE-----

L
L
Ludovic Courtès wrote on 27 Jul 2017 14:25
control message for bug #27462
(address . control@debbugs.gnu.org)
87r2x23w3k.fsf@gnu.org
tags 27462 security
A
A
Andreas Enge wrote on 31 Jan 2019 17:57
OCaml CVE-2015-8869
(address . 27462@debbugs.gnu.org)(name . Ben Woodcroft)(address . b.woodcroft@uq.edu.au)
20190131165613.GA27597@jurong
Hello,
this bug has been open for quite a while, and the development of pplacer seemsto be stalled, with the latest commit in May 2018, and no reaction whatsoeverto Ben's bug report https://github.com/matsen/pplacer/issues/354
How should we continue? Are people using the software, or should we mayberemove it?
Andreas
A
A
Andreas Enge wrote on 31 Jan 2019 18:21
(address . 27462@debbugs.gnu.org)(name . Ben Woodcroft)(address . b.woodcroft@uq.edu.au)
20190131172113.GA29071@jurong
On Thu, Jan 31, 2019 at 05:57:03PM +0100, Andreas Enge wrote:
Toggle quote (2 lines)> Are people using the software
I suppose not, because one of its dependencies currently does not build:
...phase `ocaml-findlib-environment' succeeded after 0.0 secondsstarting phase `configure'build directory: "/tmp/guix-build-ocaml4.01-gsl-1.22.0.drv-0/gsl-1.22.0"running 'configure' with arguments ("-prefix" "/gnu/store/2f0wbxxpva9pnl4877hcr1k9gnawnbgc-ocaml4.01-gsl-1.22.0")Backtrace: 5 (primitive-load "/gnu/store/g4hk79x8kdpgnq87jhy6qjj9qa1…")In ice-9/eval.scm: 191:35 4 (_ _)In srfi/srfi-1.scm: 863:16 3 (every1 #<procedure 6ef100 at /gnu/store/vnbx61brdhy87…> …)In /gnu/store/vnbx61brdhy87fhvwhrgf24qdgk1r4ww-module-import/guix/build/gnu-build-system.scm: 799:28 2 (_ _)In /gnu/store/vnbx61brdhy87fhvwhrgf24qdgk1r4ww-module-import/guix/build/ocaml-build-system.scm: 55:8 1 (configure #:outputs _ #:configure-flags _ #:test-flags …)In /gnu/store/vnbx61brdhy87fhvwhrgf24qdgk1r4ww-module-import/guix/build/utils.scm: 616:6 0 (invoke _ . _)
/gnu/store/vnbx61brdhy87fhvwhrgf24qdgk1r4ww-module-import/guix/build/utils.scm:616:6: In procedure invoke:Throw to key `srfi-34' with args `(#<condition &invoke-error [program: "./configure" arguments: ("-prefix" "/gnu/store/2f0wbxxpva9pnl4877hcr1k9gnawnbgc-ocaml4.01-gsl-1.22.0") exit-status: 127 term-signal: #f stop-signal: #f] 491fc0>)'.builder for `/gnu/store/diyv95rimr1dl0m5n1ms8yclb6b139lc-ocaml4.01-gsl-1.22.0.drv' failed with exit code 1build of /gnu/store/diyv95rimr1dl0m5n1ms8yclb6b139lc-ocaml4.01-gsl-1.22.0.drv failed...
Shall we remove all the ocaml-4.01 universe? The next step would be 4.02,it appears that the CVE is solved with 4.03 only:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8869 "OCaml before 4.03.0 does not properly handle..."
Andreas
S
S
swedebugia wrote on 31 Jan 2019 18:26
Re: bug#27462: OCaml CVE-2015-8869
(address . bug-guix@gnu.org)
85366415-3259-b63d-556e-57cc651d8db7@riseup.net
On 2019-01-31 17:57, Andreas Enge wrote:
Toggle quote (10 lines)> Hello,> > this bug has been open for quite a while, and the development of pplacer seems> to be stalled, with the latest commit in May 2018, and no reaction whatsoever> to Ben's bug report> https://github.com/matsen/pplacer/issues/354> > How should we continue? Are people using the software, or should we maybe> remove it?
Remove sounds good to me.
-- Cheers Swedebugia
J
J
Julien Lepiller wrote on 31 Jan 2019 18:30
96513178-922C-49D6-AF32-0EF723343C8E@lepiller.eu
Le 31 janvier 2019 18:21:13 GMT+01:00, Andreas Enge <andreas@enge.fr> a écrit :
Toggle quote (52 lines)>On Thu, Jan 31, 2019 at 05:57:03PM +0100, Andreas Enge wrote:>> Are people using the software>>I suppose not, because one of its dependencies currently does not>build:>>...>phase `ocaml-findlib-environment' succeeded after 0.0 seconds>starting phase `configure'>build directory:>"/tmp/guix-build-ocaml4.01-gsl-1.22.0.drv-0/gsl-1.22.0">running 'configure' with arguments ("-prefix">"/gnu/store/2f0wbxxpva9pnl4877hcr1k9gnawnbgc-ocaml4.01-gsl-1.22.0")>Backtrace:> 5 (primitive-load "/gnu/store/g4hk79x8kdpgnq87jhy6qjj9qa1…")>In ice-9/eval.scm:> 191:35 4 (_ _)>In srfi/srfi-1.scm:> 863:16 3 (every1 #<procedure 6ef100 at /gnu/store/vnbx61brdhy87…> …)>In>/gnu/store/vnbx61brdhy87fhvwhrgf24qdgk1r4ww-module-import/guix/build/gnu-build-system.scm:> 799:28 2 (_ _)>In>/gnu/store/vnbx61brdhy87fhvwhrgf24qdgk1r4ww-module-import/guix/build/ocaml-build-system.scm:> 55:8 1 (configure #:outputs _ #:configure-flags _ #:test-flags …)>In>/gnu/store/vnbx61brdhy87fhvwhrgf24qdgk1r4ww-module-import/guix/build/utils.scm:> 616:6 0 (invoke _ . _)>>/gnu/store/vnbx61brdhy87fhvwhrgf24qdgk1r4ww-module-import/guix/build/utils.scm:616:6:>In procedure invoke:>Throw to key `srfi-34' with args `(#<condition &invoke-error [program:>"./configure" arguments: ("-prefix">"/gnu/store/2f0wbxxpva9pnl4877hcr1k9gnawnbgc-ocaml4.01-gsl-1.22.0")>exit-status: 127 term-signal: #f stop-signal: #f] 491fc0>)'.>builder for>`/gnu/store/diyv95rimr1dl0m5n1ms8yclb6b139lc-ocaml4.01-gsl-1.22.0.drv'>failed with exit code 1>build of>/gnu/store/diyv95rimr1dl0m5n1ms8yclb6b139lc-ocaml4.01-gsl-1.22.0.drv>failed>...>>Shall we remove all the ocaml-4.01 universe? The next step would be>4.02,>it appears that the CVE is solved with 4.03 only:>>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8869> "OCaml before 4.03.0 does not properly handle...">>Andreas
I still care about ocaml-4.02, but I could probably update it to ocaml-4.04 without breaking dependents.
A
A
Andreas Enge wrote on 19 Feb 2019 23:17
(name . Julien Lepiller)(address . julien@lepiller.eu)
20190219221752.GA4351@jurong
On Thu, Jan 31, 2019 at 06:30:27PM +0100, Julien Lepiller wrote:
Toggle quote (2 lines)> I still care about ocaml-4.02, but I could probably update it to ocaml-4.04 without breaking dependents.
Commits 2e125ece093ef842ca017ffb146cbc5fa33f2f75 and4982c0c98deecea0d4f69f14ea28cab53b5f2123 remove ocaml@4.01, pplacer andall other dependent packages.
Is ocaml@4.02 really needed? It would be nice to get rid of a packagewith CVE.
Andreas
J
J
Julien Lepiller wrote on 20 Feb 2019 09:39
(name . Andreas Enge)(address . andreas@enge.fr)(address . 27462@debbugs.gnu.org)
5510C5B2-07EA-4D26-9629-1403237F6751@lepiller.eu
Le 19 février 2019 23:17:52 GMT+01:00, Andreas Enge <andreas@enge.fr> a écrit :
Toggle quote (13 lines)>On Thu, Jan 31, 2019 at 06:30:27PM +0100, Julien Lepiller wrote:>> I still care about ocaml-4.02, but I could probably update it to>ocaml-4.04 without breaking dependents.>>Commits 2e125ece093ef842ca017ffb146cbc5fa33f2f75 and>4982c0c98deecea0d4f69f14ea28cab53b5f2123 remove ocaml@4.01, pplacer and>all other dependent packages.>>Is ocaml@4.02 really needed? It would be nice to get rid of a package>with CVE.>>Andreas
At this point, we only need it for bap and dependencies. I've added dependencies for the latest bap commit that work with the latest ocaml, but they haven't released a new version yet. Can we wait a bit longer?
Another solution would be to jump to ocaml 4.05 and re-package another version of ~50 dependencies. I don't really want to do that…
A
A
Andreas Enge wrote on 20 Feb 2019 12:27
(name . Julien Lepiller)(address . julien@lepiller.eu)(address . 27462@debbugs.gnu.org)
20190220112747.GA21689@jurong
On Wed, Feb 20, 2019 at 09:39:20AM +0100, Julien Lepiller wrote:
Toggle quote (4 lines)> At this point, we only need it for bap and dependencies. I've added dependencies for the latest bap commit that work with the latest ocaml, but they haven't released a new version yet. Can we wait a bit longer?> > Another solution would be to jump to ocaml 4.05 and re-package another version of ~50 dependencies. I don't really want to do that…
I understand! Waiting a bit more should be okay given how long this bugis already open... Or packaging a current snapshot of bap (with suitablenumbering as laid out, I think, in the documentation, so that userswill upgrade automatically from the current version over the snapshot tothe next released version).
Thanks,
Andreas
J
J
Julien Lepiller wrote on 5 Jul 2019 14:12
OCaml CVE-2015-8869
(address . 27462-done@debbugs.gnu.org)
5E92B59E-1D62-498E-BBA0-D9611BA75C81@lepiller.eu
Ocaml-4.02 was removed a few months ago in c3634df2 but I forgot to close this bug report.
Closed
?
Your comment

This issue is archived.

To comment on this conversation send email to 27462@debbugs.gnu.org