Bug#1129317: marked as done (ocaml: CVE-2026-28364)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Mon, 02 Mar 2026 07:48:31 +0000
with message-id <E1vwy11-0000000BGcW-3wh3@fasolo.debian.org>
and subject line Bug#1129317: fixed in ocaml 5.4.1-1~exp1
has caused the Debian Bug report #1129317,
regarding ocaml: CVE-2026-28364
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1129317: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1129317
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: ocaml: CVE-2026-28364
• From: Salvatore Bonaccorso <carnil@debian.org>
• Date: Sat, 28 Feb 2026 21:21:31 +0100
• Message-id: <177231009186.755797.17427797038621990854.reportbug@eldamar.lan>

Source: ocaml
Version: 5.4.0-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for ocaml.

CVE-2026-28364[0]:
| In OCaml before 4.14.3 and 5.x before 5.4.1, a buffer over-read in
| Marshal deserialization (runtime/intern.c) enables remote code
| execution through a multi-phase attack chain. The vulnerability
| stems from missing bounds validation in the readblock() function,
| which performs unbounded memcpy() operations using attacker-
| controlled lengths from crafted Marshal data.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-28364
    https://www.cve.org/CVERecord?id=CVE-2026-28364
[1] https://osv.dev/vulnerability/OSEC-2026-01
[2] https://github.com/ocaml/ocaml/commit/e3919fef436f89271bc30bbe8592851f7289fb68
[3] https://github.com/ocaml/ocaml/commit/b0a2614684a52acded784ec213f14ddfe085d146

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

• To: 1129317-close@bugs.debian.org
• Subject: Bug#1129317: fixed in ocaml 5.4.1-1~exp1
• From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
• Date: Mon, 02 Mar 2026 07:48:31 +0000
• Message-id: <E1vwy11-0000000BGcW-3wh3@fasolo.debian.org>
• Reply-to: Stéphane Glondu <glondu@debian.org>

Source: ocaml
Source-Version: 5.4.1-1~exp1
Done: Stéphane Glondu <glondu@debian.org>

We believe that the bug you reported is fixed in the latest version of
ocaml, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1129317@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Stéphane Glondu <glondu@debian.org> (supplier of updated ocaml package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 02 Mar 2026 08:28:58 +0100
Source: ocaml
Architecture: source
Version: 5.4.1-1~exp1
Distribution: experimental
Urgency: medium
Maintainer: Debian OCaml Maintainers <debian-ocaml-maint@lists.debian.org>
Changed-By: Stéphane Glondu <glondu@debian.org>
Closes: 1129317
Changes:
 ocaml (5.4.1-1~exp1) experimental; urgency=medium
 .
   * New upstream release (Closes: #1129317, CVE-2026-28364)
   * Stabilize compiler-libs ABI by not including config.cmx
   * Print .cmi flags in objinfo
   * Bump Standards-Version to 4.7.3
   * Remove Priority field from debian/control
Checksums-Sha1:
 4a3c173cd53d2139828666f2e1dac5ec9b93b599 2319 ocaml_5.4.1-1~exp1.dsc
 6fcf64b8519f47d90e35c501f64bba154ce3a2e8 4483716 ocaml_5.4.1.orig.tar.xz
 1b55ec46c517ffd72ed3a60a992a80e34e0df724 39944 ocaml_5.4.1-1~exp1.debian.tar.xz
Checksums-Sha256:
 17b7d8cd7c97a8f4bc0abcf45eadf5d1fa92d5235f189c0eaf1fb7487ebb8c12 2319 ocaml_5.4.1-1~exp1.dsc
 b1e297adc186635540758eb064c7fab025598ae4436f3b9767e5025188b4e0ab 4483716 ocaml_5.4.1.orig.tar.xz
 0c089b230b2e91f6551c6f60e7272873ec4743e8d5593bf69be66fe653a50152 39944 ocaml_5.4.1-1~exp1.debian.tar.xz
Files:
 4cb93082ca63f27a67f4ef4f026a68b2 2319 ocaml optional ocaml_5.4.1-1~exp1.dsc
 4588be6c34939f15fdc37c3a230cea9d 4483716 ocaml optional ocaml_5.4.1.orig.tar.xz
 9821dde5c0bdaab82d1bd6edab5541fe 39944 ocaml optional ocaml_5.4.1-1~exp1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQFGBAEBCgAwFiEEbeJOl+yohsxW5iUOIbju8bGJMIEFAmmlPrMSHGdsb25kdUBk
ZWJpYW4ub3JnAAoJECG47vGxiTCB/JoH/AjzXnxqiZv1qVlxUwTgHtbYStiOkwYC
3ijHP/vB2WVixEonhbJbhEFKxkCeFnP3YdhEnXqHY+GyJma9qwm5LZbWWAQTJTot
m3WqsJxg1fSZID7YC7smnrBwLPXnUgqRd+/X+/z5x1F+0IzNhzQ2mIdD28hJ4Cos
LCPVQ2SsVRkHMVgkeGLKfeRCBqVfrbDKVlS9UEEjWcEjIfemclp8Uf9b5ol0lwOQ
bWGYIT0I2y+R4bfMbpYUczJ2roDC8+sAxjEFpaRMV4SNtYDj3jB6OSYJLpIqqyIw
obb9rHPlAVbSzTXncTih2ggXloFjGSNphVcdQ2L8FZnq42zfktwlcMU=
=ox+/
-----END PGP SIGNATURE-----

Attachment: pgpXTSl0SRSpX.pgp
Description: PGP signature

--- End Message ---