Date: Sun, 15 Oct 2017 23:23:37 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-ports-bugs@FreeBSD.org Subject: [Bug 223039] lang/ocaml: generating insecure code before 4.03 Message-ID: <bug-223039-13@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D223039 Bug ID: 223039 Summary: lang/ocaml: generating insecure code before 4.03 Product: Ports & Packages Version: Latest Hardware: Any OS: Any Status: New Severity: Affects Many People Priority: --- Component: Individual Port(s) Assignee: freebsd-ports-bugs@FreeBSD.org Reporter: freebsd@phil.spodhuis.org CC: michipili@gmail.com Flags: maintainer-feedback?(michipili@gmail.com) CC: michipili@gmail.com This should be tracked as a security problem; per: https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2015-8869 the OCaml compiler before version 4.03 generates insecure code, mis-handling sign extensions resulting in remote code execution vulnerabilities in softw= are written in OCaml, if it accepts network connections. Example network-connection-accepting OCaml software in Ports: security/sks The current packaging is 4.02.3, not 4.03+, thus all OCaml code being compi= led on FreeBSD using the compiler in Ports should be considered vulnerable, per= my understanding of the CVE. There is work in progress for one possible path forward in bug 218333; whet= her this security-issue bug ends up marked as a dup or prompts shorter-term fast work to update the compiler, is a matter for the Security & Ports folks of FreeBSD to decide, but I felt it worth having a tracking bug for the securi= ty implications rather than one possible remediation path. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-223039-13>