Bug#895472: ocaml: CVE-2018-9838
Source: ocaml
Version: 4.05.0-10
Severity: important
Tags: security upstream
Forwarded: https://caml.inria.fr/mantis/view.php?id=7765
Hi,
The following vulnerability was published for ocaml.
CVE-2018-9838[0]:
| The caml_ba_deserialize function in byterun/bigarray.c in the standard
| library in OCaml 4.06.0 has an integer overflow which, in situations
| where marshalled data is accepted from an untrusted source, allows
| remote attackers to cause a denial of service (memory corruption) or
| possibly execute arbitrary code via a crafted object.
A solution is still beeing discussed upstream in [2].
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-9838
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9838
[1] https://caml.inria.fr/mantis/view.php?id=7765
[2] https://github.com/ocaml/ocaml/pull/1718
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Reply to: