OCaml CVE-2015-8869

  • Done
  • quality assurance status badge
Details
6 participants
  • Andreas Enge
  • Ben Woodcroft
  • Julien Lepiller
  • Leo Famulari
  • Ludovic Courtès
  • swedebugia
Owner
unassigned
Submitted by
Leo Famulari
Severity
normal
L
L
Leo Famulari wrote on 23 Jun 2017 18:41
OCaml CVE-2015-8869
(address . bug-guix@gnu.org)
20170623164129.GA4417@jasmine.lan
Our package ocaml-4.01 is vulnerable to CVE-2015-8869, which we patched
in the primary ocaml package in April 2016. Unfortunately, this patch
was not included when the ocaml-4.01 package was created in January
2017.


Do we need this older version of OCaml? If so, we need a volunteer to
maintain it.
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAllNRLkACgkQJkb6MLrK
fwj7iBAApfFEXyT3GtGhl6f1H2JaDeFv6ckXtJ+fn2ZZIEtD3sC7x3dyRhZekDKz
cPRv9GHwB7jdmrNm9xwlYrWs58t3hE7k2u8+bBVGdoPruysyt3z+FY3VGyr3WG8r
FPqNLYKK+V2iPEibehBg1s0Y8+V1oYDUQoa5Za2lNvQCimt0cZ6pT+W519bqqckG
eywFYUnT80dKR5B1IOUoSVip0pK9cSoVBpA6tZzB+HzUYN+A/HgRsIUf3pCskpbS
BwFAC4ySCGjiexxIgAw/yQNmRSem8JpIRxlZ3UOqwjN9yW76H0ZY0AQWT56VVvsl
LFAuOXy91lDjV4x0kzcvhfUgMyRgDPLBO70fi3tiasKvp650f57Ur8AJ1Wb1eTfw
Lip2hzoj/dpSp/ynFqWP0HPwErb6jEObYapByKtz7LpWb7hBPy9bmgA9TFYri+Wt
tjpIeOpn7DMRQ0ynOZdlGEJhW75eyj5CyDCf4g1+sNbk67faBAnflPFKxm51g0Mk
UiLmkMa1v2lM6fMHsgY7tVid2mBbczbO0ItuuCJ8SEyTdTXHIf6pB3IhYAnZ72dr
eK+Bbx7J3qEJYAkINHmfKsvDv8l0OUQ9+3wJa6U9GyawVSlTaUzkuxgN+vYB/IYB
aFUmaihSG7+fK8i7iGcV7mgPtyMUbvJdpi0ODWz95I5BfJ2YUGU=
=xkqn
-----END PGP SIGNATURE-----


B
B
Ben Woodcroft wrote on 24 Jun 2017 02:25
Re: bug#27462: OCaml CVE-2015-8869
faae92d6-1f30-9e7f-4e56-f7c69a794388@uq.edu.au
Hi Leo,


On 24/06/17 02:41, Leo Famulari wrote:
Toggle quote (10 lines)
> Our package ocaml-4.01 is vulnerable to CVE-2015-8869, which we patched
> in the primary ocaml package in April 2016. Unfortunately, this patch
> was not included when the ocaml-4.01 package was created in January
> 2017.
>
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8869
>
> Do we need this older version of OCaml? If so, we need a volunteer to
> maintain it.

Thanks for pointing this out. AFAIK OCaml 4.01 is really only used to
build pplacer, a bioinformatics program. I was planning on submitting 3
further bioinformatic packages soon which rely on pplacer, however.

I'm not sure I have the bandwidth to backport patches to such an old
release, especially since the OCaml maintainers do not appear to be
either, AFAICS.

This is a little frustrating, but perhaps they should be removed. WDYT?

ben
L
L
Leo Famulari wrote on 24 Jun 2017 18:03
(name . Ben Woodcroft)(address . b.woodcroft@uq.edu.au)(address . 27462@debbugs.gnu.org)
20170624160304.GA10364@jasmine.lan
On Sat, Jun 24, 2017 at 10:25:52AM +1000, Ben Woodcroft wrote:
Toggle quote (21 lines)
> On 24/06/17 02:41, Leo Famulari wrote:
> > Our package ocaml-4.01 is vulnerable to CVE-2015-8869, which we patched
> > in the primary ocaml package in April 2016. Unfortunately, this patch
> > was not included when the ocaml-4.01 package was created in January
> > 2017.
> >
> > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8869
> >
> > Do we need this older version of OCaml? If so, we need a volunteer to
> > maintain it.
>
> Thanks for pointing this out. AFAIK OCaml 4.01 is really only used to build
> pplacer, a bioinformatics program. I was planning on submitting 3 further
> bioinformatic packages soon which rely on pplacer, however.
>
> I'm not sure I have the bandwidth to backport patches to such an old
> release, especially since the OCaml maintainers do not appear to be either,
> AFAICS.
>
> This is a little frustrating, but perhaps they should be removed. WDYT?

That is a last resort :)

We should check if another distro has a patch for OCaml 4.01, if we can
backport the patch, if pplacer can use a newer OCaml, and only then
consider removing the packages.
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAllOjTUACgkQJkb6MLrK
fwgSKQ//aoiWbnyCnqhrYiyAuLIzKqeETBMkJ6pC15WwSkVhbgevPtS8lwh5h/4P
zQVzjF6GaWv4Z5R0CmeJj4bJfEAmy/KVF8jmYt7k5RLm1xPMQwTB5sPMDrxJYP2A
9ulznVmgaCNu3OMS/RbbF/oir5w5wDpvfSUR2gQYgv+rmKaFnyasHcj8NuORYzPU
mn91KRvyvGspxrN0a2c1lC7GxHOPP25BhOH0drj2qw7vsYqciS8TWKYD2z2JXOKD
AAsTg/5V49SI77sQiNcb+DP4pLSfRhnRoAHmJofY+1RPfVBds32XUUkH27G22ra6
2kod8G/bFi5howelqkJue3WjOF+xhh9rC/4NaDDZfHEgpMF5Jb7QjWLA+b3Gv1Xd
Ti57UYHLCCbT1/9g4q1XOzwhd2QVAucNgZPf6b5MwFneQpdk/fzB5579piq0MscI
mgxjL2yLz8smyRi5s/4z2V8HCizhxjqnxQA8d4p0g5O6qZSp8nrNu1oeeptGWfb1
bVVeciwBjKHpTYAqkqp4BQ7ydr2zSj0anj+75AgrA+nDMISuALuFZAHjAsMDOCdi
ftfqI21rNlxFwyEkHJ6fcPyUPrmj8rL/qiCcRZWvi+RlMvxekIRpEaUl7d3YP8uA
7ptVtpSffUoiMHnBipJlo9CSs/htOPwflB22C97ApmkHh0nVPhc=
=Vk0b
-----END PGP SIGNATURE-----


L
L
Ludovic Courtès wrote on 27 Jul 2017 14:25
control message for bug #27462
(address . control@debbugs.gnu.org)
87r2x23w3k.fsf@gnu.org
tags 27462 security
A
A
Andreas Enge wrote on 31 Jan 2019 17:57
OCaml CVE-2015-8869
(address . 27462@debbugs.gnu.org)(name . Ben Woodcroft)(address . b.woodcroft@uq.edu.au)
20190131165613.GA27597@jurong
Hello,

this bug has been open for quite a while, and the development of pplacer seems
to be stalled, with the latest commit in May 2018, and no reaction whatsoever
to Ben's bug report

How should we continue? Are people using the software, or should we maybe
remove it?

Andreas
A
A
Andreas Enge wrote on 31 Jan 2019 18:21
(address . 27462@debbugs.gnu.org)(name . Ben Woodcroft)(address . b.woodcroft@uq.edu.au)
20190131172113.GA29071@jurong
On Thu, Jan 31, 2019 at 05:57:03PM +0100, Andreas Enge wrote:
Toggle quote (2 lines)
> Are people using the software

I suppose not, because one of its dependencies currently does not build:

...
phase `ocaml-findlib-environment' succeeded after 0.0 seconds
starting phase `configure'
build directory: "/tmp/guix-build-ocaml4.01-gsl-1.22.0.drv-0/gsl-1.22.0"
running 'configure' with arguments ("-prefix" "/gnu/store/2f0wbxxpva9pnl4877hcr1k9gnawnbgc-ocaml4.01-gsl-1.22.0")
Backtrace:
5 (primitive-load "/gnu/store/g4hk79x8kdpgnq87jhy6qjj9qa1…")
In ice-9/eval.scm:
191:35 4 (_ _)
In srfi/srfi-1.scm:
863:16 3 (every1 #<procedure 6ef100 at /gnu/store/vnbx61brdhy87…> …)
In /gnu/store/vnbx61brdhy87fhvwhrgf24qdgk1r4ww-module-import/guix/build/gnu-build-system.scm:
799:28 2 (_ _)
In /gnu/store/vnbx61brdhy87fhvwhrgf24qdgk1r4ww-module-import/guix/build/ocaml-build-system.scm:
55:8 1 (configure #:outputs _ #:configure-flags _ #:test-flags …)
In /gnu/store/vnbx61brdhy87fhvwhrgf24qdgk1r4ww-module-import/guix/build/utils.scm:
616:6 0 (invoke _ . _)

/gnu/store/vnbx61brdhy87fhvwhrgf24qdgk1r4ww-module-import/guix/build/utils.scm:616:6: In procedure invoke:
Throw to key `srfi-34' with args `(#<condition &invoke-error [program: "./configure" arguments: ("-prefix" "/gnu/store/2f0wbxxpva9pnl4877hcr1k9gnawnbgc-ocaml4.01-gsl-1.22.0") exit-status: 127 term-signal: #f stop-signal: #f] 491fc0>)'.
builder for `/gnu/store/diyv95rimr1dl0m5n1ms8yclb6b139lc-ocaml4.01-gsl-1.22.0.drv' failed with exit code 1
build of /gnu/store/diyv95rimr1dl0m5n1ms8yclb6b139lc-ocaml4.01-gsl-1.22.0.drv failed
...

Shall we remove all the ocaml-4.01 universe? The next step would be 4.02,
it appears that the CVE is solved with 4.03 only:

"OCaml before 4.03.0 does not properly handle..."

Andreas
S
S
swedebugia wrote on 31 Jan 2019 18:26
Re: bug#27462: OCaml CVE-2015-8869
(address . bug-guix@gnu.org)
85366415-3259-b63d-556e-57cc651d8db7@riseup.net
On 2019-01-31 17:57, Andreas Enge wrote:
Toggle quote (10 lines)
> Hello,
>
> this bug has been open for quite a while, and the development of pplacer seems
> to be stalled, with the latest commit in May 2018, and no reaction whatsoever
> to Ben's bug report
> https://github.com/matsen/pplacer/issues/354
>
> How should we continue? Are people using the software, or should we maybe
> remove it?

Remove sounds good to me.

--
Cheers Swedebugia
J
J
Julien Lepiller wrote on 31 Jan 2019 18:30
96513178-922C-49D6-AF32-0EF723343C8E@lepiller.eu
Le 31 janvier 2019 18:21:13 GMT+01:00, Andreas Enge <andreas@enge.fr> a écrit :
Toggle quote (52 lines)
>On Thu, Jan 31, 2019 at 05:57:03PM +0100, Andreas Enge wrote:
>> Are people using the software
>
>I suppose not, because one of its dependencies currently does not
>build:
>
>...
>phase `ocaml-findlib-environment' succeeded after 0.0 seconds
>starting phase `configure'
>build directory:
>"/tmp/guix-build-ocaml4.01-gsl-1.22.0.drv-0/gsl-1.22.0"
>running 'configure' with arguments ("-prefix"
>"/gnu/store/2f0wbxxpva9pnl4877hcr1k9gnawnbgc-ocaml4.01-gsl-1.22.0")
>Backtrace:
> 5 (primitive-load "/gnu/store/g4hk79x8kdpgnq87jhy6qjj9qa1…")
>In ice-9/eval.scm:
> 191:35 4 (_ _)
>In srfi/srfi-1.scm:
> 863:16 3 (every1 #<procedure 6ef100 at /gnu/store/vnbx61brdhy87…> …)
>In
>/gnu/store/vnbx61brdhy87fhvwhrgf24qdgk1r4ww-module-import/guix/build/gnu-build-system.scm:
> 799:28 2 (_ _)
>In
>/gnu/store/vnbx61brdhy87fhvwhrgf24qdgk1r4ww-module-import/guix/build/ocaml-build-system.scm:
> 55:8 1 (configure #:outputs _ #:configure-flags _ #:test-flags …)
>In
>/gnu/store/vnbx61brdhy87fhvwhrgf24qdgk1r4ww-module-import/guix/build/utils.scm:
> 616:6 0 (invoke _ . _)
>
>/gnu/store/vnbx61brdhy87fhvwhrgf24qdgk1r4ww-module-import/guix/build/utils.scm:616:6:
>In procedure invoke:
>Throw to key `srfi-34' with args `(#<condition &invoke-error [program:
>"./configure" arguments: ("-prefix"
>"/gnu/store/2f0wbxxpva9pnl4877hcr1k9gnawnbgc-ocaml4.01-gsl-1.22.0")
>exit-status: 127 term-signal: #f stop-signal: #f] 491fc0>)'.
>builder for
>`/gnu/store/diyv95rimr1dl0m5n1ms8yclb6b139lc-ocaml4.01-gsl-1.22.0.drv'
>failed with exit code 1
>build of
>/gnu/store/diyv95rimr1dl0m5n1ms8yclb6b139lc-ocaml4.01-gsl-1.22.0.drv
>failed
>...
>
>Shall we remove all the ocaml-4.01 universe? The next step would be
>4.02,
>it appears that the CVE is solved with 4.03 only:
>
>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8869
> "OCaml before 4.03.0 does not properly handle..."
>
>Andreas

I still care about ocaml-4.02, but I could probably update it to ocaml-4.04 without breaking dependents.
A
A
Andreas Enge wrote on 19 Feb 2019 23:17
(name . Julien Lepiller)(address . julien@lepiller.eu)
20190219221752.GA4351@jurong
On Thu, Jan 31, 2019 at 06:30:27PM +0100, Julien Lepiller wrote:
Toggle quote (2 lines)
> I still care about ocaml-4.02, but I could probably update it to ocaml-4.04 without breaking dependents.

Commits 2e125ece093ef842ca017ffb146cbc5fa33f2f75 and
4982c0c98deecea0d4f69f14ea28cab53b5f2123 remove ocaml@4.01, pplacer and
all other dependent packages.

Is ocaml@4.02 really needed? It would be nice to get rid of a package
with CVE.

Andreas
J
J
Julien Lepiller wrote on 20 Feb 2019 09:39
(name . Andreas Enge)(address . andreas@enge.fr)(address . 27462@debbugs.gnu.org)
5510C5B2-07EA-4D26-9629-1403237F6751@lepiller.eu
Le 19 février 2019 23:17:52 GMT+01:00, Andreas Enge <andreas@enge.fr> a écrit :
Toggle quote (13 lines)
>On Thu, Jan 31, 2019 at 06:30:27PM +0100, Julien Lepiller wrote:
>> I still care about ocaml-4.02, but I could probably update it to
>ocaml-4.04 without breaking dependents.
>
>Commits 2e125ece093ef842ca017ffb146cbc5fa33f2f75 and
>4982c0c98deecea0d4f69f14ea28cab53b5f2123 remove ocaml@4.01, pplacer and
>all other dependent packages.
>
>Is ocaml@4.02 really needed? It would be nice to get rid of a package
>with CVE.
>
>Andreas

At this point, we only need it for bap and dependencies. I've added dependencies for the latest bap commit that work with the latest ocaml, but they haven't released a new version yet. Can we wait a bit longer?

Another solution would be to jump to ocaml 4.05 and re-package another version of ~50 dependencies. I don't really want to do that…
A
A
Andreas Enge wrote on 20 Feb 2019 12:27
(name . Julien Lepiller)(address . julien@lepiller.eu)(address . 27462@debbugs.gnu.org)
20190220112747.GA21689@jurong
On Wed, Feb 20, 2019 at 09:39:20AM +0100, Julien Lepiller wrote:
Toggle quote (4 lines)
> At this point, we only need it for bap and dependencies. I've added dependencies for the latest bap commit that work with the latest ocaml, but they haven't released a new version yet. Can we wait a bit longer?
>
> Another solution would be to jump to ocaml 4.05 and re-package another version of ~50 dependencies. I don't really want to do that…

I understand! Waiting a bit more should be okay given how long this bug
is already open... Or packaging a current snapshot of bap (with suitable
numbering as laid out, I think, in the documentation, so that users
will upgrade automatically from the current version over the snapshot to
the next released version).

Thanks,

Andreas
J
J
Julien Lepiller wrote on 5 Jul 2019 14:12
OCaml CVE-2015-8869
(address . 27462-done@debbugs.gnu.org)
5E92B59E-1D62-498E-BBA0-D9611BA75C81@lepiller.eu
Ocaml-4.02 was removed a few months ago in c3634df2 but I forgot to close this bug report.
Closed
?