Bug#865712: marked as done (ocaml: CVE-2017-9772: local privilege escalation issue with ocaml binaries)
Your message dated Fri, 21 Jul 2017 16:19:23 +0000
with message-id <E1dYaeB-0002Ha-GE@fasolo.debian.org>
and subject line Bug#865712: fixed in ocaml 4.05.0-2
has caused the Debian Bug report #865712,
regarding ocaml: CVE-2017-9772: local privilege escalation issue with ocaml binaries
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
865712: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=865712
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: ocaml: CVE-2017-9772: local privilege escalation issue with ocaml binaries
- From: Salvatore Bonaccorso <carnil@debian.org>
- Date: Sat, 24 Jun 2017 05:29:40 +0200
- Message-id: <149827498062.21413.4924870299606509857.reportbug@eldamar.local>
Source: ocaml
Version: 4.04.0-2
Severity: grave
Tags: security upstream
Justification: user security hole
Forwarded: https://caml.inria.fr/mantis/view.php?id=7557
Hi,
the following vulnerability was published for ocaml.
CVE-2017-9772[0]:
| Insufficient sanitisation in the OCaml compiler versions 4.04.0 and
| 4.04.1 allows external code to be executed with raised privilege in
| binaries marked as setuid, by setting the CAML_CPLUGINS,
| CAML_NATIVE_CPLUGINS, or CAML_BYTE_CPLUGINS environment variable.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-9772
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9772
[1] https://caml.inria.fr/mantis/view.php?id=7557
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: ocaml
Source-Version: 4.05.0-2
We believe that the bug you reported is fixed in the latest version of
ocaml, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 865712@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ximin Luo <infinity0@debian.org> (supplier of updated ocaml package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 21 Jul 2017 18:01:04 +0200
Source: ocaml
Binary: ocaml-base-nox ocaml-base ocaml-nox ocaml ocaml-source ocaml-interp ocaml-compiler-libs ocaml-mode
Architecture: source
Version: 4.05.0-2
Distribution: experimental
Urgency: medium
Maintainer: Debian OCaml Maintainers <debian-ocaml-maint@lists.debian.org>
Changed-By: Ximin Luo <infinity0@debian.org>
Description:
ocaml - ML language implementation with a class-based object system
ocaml-base - Runtime system for OCaml bytecode executables
ocaml-base-nox - Runtime system for OCaml bytecode executables (no X)
ocaml-compiler-libs - OCaml interpreter and standard libraries
ocaml-interp - OCaml interactive interpreter and standard libraries
ocaml-mode - major mode for editing Objective Caml in Emacs
ocaml-nox - ML implementation with a class-based object system (no X)
ocaml-source - Sources for Objective Caml
Closes: 865712
Changes:
ocaml (4.05.0-2) experimental; urgency=medium
.
* Update conditional-install rules for easier maintenance. This fixes FTBFS
on arm64 and s390x where libasmrunp.a is not available.
* Disable failing dup3/pipe2-related tests on kfreebsd-*.
* Close old bug reports. (Closes: #865712)
Checksums-Sha1:
9dbbcd889faf9b8c96c5c96c026c940ab3162e88 2604 ocaml_4.05.0-2.dsc
c3138945a6b6d27dbb86aa2550467f59772c7c73 43716 ocaml_4.05.0-2.debian.tar.xz
c30485b69f51f7872b36db2644ec68323774954f 6220 ocaml_4.05.0-2_source.buildinfo
Checksums-Sha256:
94bb20d25b862065944397a92dd24f4ddb93cdc6f328be579095cd04de343712 2604 ocaml_4.05.0-2.dsc
9eb0107a8f418b8e9dc611cc233095f6617a45ae7f00be179cf3a1c2950e3ad7 43716 ocaml_4.05.0-2.debian.tar.xz
9703282991d827d6693d60122c3dcac6f20858a1f39e541f83ba9d73311ac615 6220 ocaml_4.05.0-2_source.buildinfo
Files:
11dc7e83c8860ceba53d432826d075fb 2604 ocaml optional ocaml_4.05.0-2.dsc
d1e21791545a73e5463bd78f6696c31a 43716 ocaml optional ocaml_4.05.0-2.debian.tar.xz
88238e4db74876d0a43cbc4feb2e1f4f 6220 ocaml optional ocaml_4.05.0-2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJJBAEBCgAzFiEENmdIajJtsnZtJVVGhg3vO49lC3kFAllyJVgVHGluZmluaXR5
MEBkZWJpYW4ub3JnAAoJEIYN7zuPZQt5fuoQAJMQb3+F6PgtB09XVcWgXSWZmj0W
vTrVUOVRrOJt+xdfwBnXZacZwRz7KERLGSflyRlpwb8Wdmbr0EmHyZ9LQWr1qqO8
mGm6zFBYIBbOT5gTh1HL2SUp4fL4iDHzvBACqIGQJVt+yeqEwUdEwiLND6aJXkxo
tSjqLZ9Aa5UARJLhwGYFq0pNYuIU1w/rvOvLzLeuPN851oiKXw9FkwDj5eIVX1NS
IShnVKMfKX+GJbkAl/3kim9WPR4mxR7ntn7S+TV3tsdnTxNPvk0oQtZiyaE1WAri
BWgmWGTGoF8bcNZ6mm6F4TaBuJtC5DBjnv6506KSOESuwz61WGksc2PAmo/wysGb
bG2ouBr3lRDKnAlrAz37kx/7vxT7TWEBI34JJjkY/0lI9skCXILBk1vXxBJDgFya
K44sj3Qnxgk8418+tqTzdLMDFYPJTdkG1jTOlE/r8UxQgre2XwileztbqtWwWI/Q
BRDVTvE4cecExBFfUvHfpsYMzefZjSiovtBgeupsaBDRcbhk3gFyN8psZap7c/O6
xIflVU+qoUTxXOUxOyzAHpmxHfqLiD6RomGALPKA37XVcvzR4wnpt1BarvUn5wA3
kEqmcQpZLLdw/mATtjZOxMd1Y8wptwULN4H1agrhGygv7wN0+9nrejleXOIy7Y8P
9RZjGYnmGot0Tv6Z
=QLfX
-----END PGP SIGNATURE-----
--- End Message ---
Reply to: