Bug#895472: ocaml: CVE-2018-9838

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#895472: ocaml: CVE-2018-9838
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 11 Apr 2018 22:59:43 +0200
Message-id: <[🔎] 152348038389.28766.10750295606381839162.reportbug@eldamar.local>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 895472@bugs.debian.org

Source: ocaml
Version: 4.05.0-10
Severity: important
Tags: security upstream
Forwarded: https://caml.inria.fr/mantis/view.php?id=7765

Hi,

The following vulnerability was published for ocaml.

CVE-2018-9838[0]:
| The caml_ba_deserialize function in byterun/bigarray.c in the standard
| library in OCaml 4.06.0 has an integer overflow which, in situations
| where marshalled data is accepted from an untrusted source, allows
| remote attackers to cause a denial of service (memory corruption) or
| possibly execute arbitrary code via a crafted object.

A solution is still beeing discussed upstream in [2].

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-9838
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9838
[1] https://caml.inria.fr/mantis/view.php?id=7765
[2] https://github.com/ocaml/ocaml/pull/1718

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Reply to:

Prev by Date: Processed (with 1 error): asciidoc: deprecate in Debian - forgotten blocker
Next by Date: Bug#877267: ocaml-nox: broken symlink: /usr/share/doc/ocaml-nox/README.gz -> ../ocaml-base-nox/README.gz
Previous by thread: Processed (with 1 error): asciidoc: deprecate in Debian - forgotten blocker
Next by thread: Bug#877267: ocaml-nox: broken symlink: /usr/share/doc/ocaml-nox/README.gz -> ../ocaml-base-nox/README.gz
Index(es):
- Date
- Thread