From debbugs-submit-bounces@debbugs.gnu.org Thu Jan 31 12:21:20 2019 Received: (at 27462) by debbugs.gnu.org; 31 Jan 2019 17:21:20 +0000 Received: from localhost ([127.0.0.1]:53269 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gpG1g-0006Mn-47 for submit@debbugs.gnu.org; Thu, 31 Jan 2019 12:21:20 -0500 Received: from hera.aquilenet.fr ([185.233.100.1]:42668) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gpG1e-0006Mc-Bp for 27462@debbugs.gnu.org; Thu, 31 Jan 2019 12:21:19 -0500 Received: from localhost (localhost [127.0.0.1]) by hera.aquilenet.fr (Postfix) with ESMTP id 0BDEE9ADC; Thu, 31 Jan 2019 18:21:16 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at aquilenet.fr Received: from hera.aquilenet.fr ([127.0.0.1]) by localhost (hera.aquilenet.fr [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SzXagNsTqsYN; Thu, 31 Jan 2019 18:21:15 +0100 (CET) Received: from jurong (cable-78.29.213.16.coditel.net [78.29.213.16]) by hera.aquilenet.fr (Postfix) with ESMTPSA id E491B9A57; Thu, 31 Jan 2019 18:21:14 +0100 (CET) Date: Thu, 31 Jan 2019 18:21:13 +0100 From: Andreas Enge To: 27462@debbugs.gnu.org Subject: Re: OCaml CVE-2015-8869 Message-ID: <20190131172113.GA29071@jurong> References: <20190131165613.GA27597@jurong> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20190131165613.GA27597@jurong> User-Agent: Mutt/1.11.0 (2018-11-25) X-Spam-Score: 0.7 (/) X-Debbugs-Envelope-To: 27462 Cc: Ben Woodcroft X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.3 (/) On Thu, Jan 31, 2019 at 05:57:03PM +0100, Andreas Enge wrote: > Are people using the software I suppose not, because one of its dependencies currently does not build: ... phase `ocaml-findlib-environment' succeeded after 0.0 seconds starting phase `configure' build directory: "/tmp/guix-build-ocaml4.01-gsl-1.22.0.drv-0/gsl-1.22.0" running 'configure' with arguments ("-prefix" "/gnu/store/2f0wbxxpva9pnl4877hcr1k9gnawnbgc-ocaml4.01-gsl-1.22.0") Backtrace: 5 (primitive-load "/gnu/store/g4hk79x8kdpgnq87jhy6qjj9qa1…") In ice-9/eval.scm: 191:35 4 (_ _) In srfi/srfi-1.scm: 863:16 3 (every1 # …) In /gnu/store/vnbx61brdhy87fhvwhrgf24qdgk1r4ww-module-import/guix/build/gnu-build-system.scm: 799:28 2 (_ _) In /gnu/store/vnbx61brdhy87fhvwhrgf24qdgk1r4ww-module-import/guix/build/ocaml-build-system.scm: 55:8 1 (configure #:outputs _ #:configure-flags _ #:test-flags …) In /gnu/store/vnbx61brdhy87fhvwhrgf24qdgk1r4ww-module-import/guix/build/utils.scm: 616:6 0 (invoke _ . _) /gnu/store/vnbx61brdhy87fhvwhrgf24qdgk1r4ww-module-import/guix/build/utils.scm:616:6: In procedure invoke: Throw to key `srfi-34' with args `(#)'. builder for `/gnu/store/diyv95rimr1dl0m5n1ms8yclb6b139lc-ocaml4.01-gsl-1.22.0.drv' failed with exit code 1 build of /gnu/store/diyv95rimr1dl0m5n1ms8yclb6b139lc-ocaml4.01-gsl-1.22.0.drv failed ... Shall we remove all the ocaml-4.01 universe? The next step would be 4.02, it appears that the CVE is solved with 4.03 only: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8869 "OCaml before 4.03.0 does not properly handle..." Andreas