From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail3-relais-sop.national.inria.fr (mail3-relais-sop.national.inria.fr [192.134.164.104]) by sympa.inria.fr (Postfix) with ESMTPS id 3F4237EE88 for ; Fri, 29 Apr 2016 18:46:17 +0200 (CEST) IronPort-PHdr: 9a23:oWZ3ahOF3EROdNDB5nMl6mtUPXoX/o7sNwtQ0KIMzox0KP/5rarrMEGX3/hxlliBBdydsKIUzbqI+PC8EUU7or+/81k6OKRWUBEEjchE1ycBO+WiTXPBEfjxciYhF95DXlI2t1uyMExSBdqsLwaK+i760zceF13FOBZvIaytQ8iJ35Txh775q8GbSj4LrQT+SIs6FA+xowTVu5teqqpZAYF19CH0pGBVcf9d32JiKAHbtR/94sCt4MwrqHwI6Lpyv/JHBK7zeqB9Sb1DEBwnNXo07Yvlr0rtVwyKs1IQSGQblFJuCgTI9lmuV5vrsyb8nux6xCrcOtf5G+NnEQ++5rtmHUe7wBwMMCQ0pTna Authentication-Results: mail3-smtp-sop.national.inria.fr; spf=None smtp.pra=adrien@notk.org; spf=Pass smtp.mailfrom=adrien@notk.org; spf=None smtp.helo=postmaster@nautica.notk.org Received-SPF: None (mail3-smtp-sop.national.inria.fr: no sender authenticity information available from domain of adrien@notk.org) identity=pra; client-ip=91.121.71.147; receiver=mail3-smtp-sop.national.inria.fr; envelope-from="adrien@notk.org"; x-sender="adrien@notk.org"; x-conformance=sidf_compatible Received-SPF: Pass (mail3-smtp-sop.national.inria.fr: domain of adrien@notk.org designates 91.121.71.147 as permitted sender) identity=mailfrom; client-ip=91.121.71.147; receiver=mail3-smtp-sop.national.inria.fr; envelope-from="adrien@notk.org"; x-sender="adrien@notk.org"; x-conformance=sidf_compatible; x-record-type="v=spf1" Received-SPF: None (mail3-smtp-sop.national.inria.fr: no sender authenticity information available from domain of postmaster@nautica.notk.org) identity=helo; client-ip=91.121.71.147; receiver=mail3-smtp-sop.national.inria.fr; envelope-from="adrien@notk.org"; x-sender="postmaster@nautica.notk.org"; x-conformance=sidf_compatible X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A0A6BQB2jiNX/5NHeVtdgzhTfYJztw2BdiaFMIFnOhIBAQEBAQEBAWQngi2CFAEBBCRbNxMOAhEFGESIIgwKo0+PYpFNhiGGBAGDUII0K4IrBZgThXyIEQpljiyPMCcCOYIEAQ0OFoE3OjABBIh8AQEB X-IPAS-Result: A0A6BQB2jiNX/5NHeVtdgzhTfYJztw2BdiaFMIFnOhIBAQEBAQEBAWQngi2CFAEBBCRbNxMOAhEFGESIIgwKo0+PYpFNhiGGBAGDUII0K4IrBZgThXyIEQpljiyPMCcCOYIEAQ0OFoE3OjABBIh8AQEB X-IronPort-AV: E=Sophos;i="5.24,552,1454972400"; d="scan'208";a="176243043" Received: from nautica.notk.org ([91.121.71.147]) by mail3-smtp-sop.national.inria.fr with ESMTP/TLS/ADH-AES256-GCM-SHA384; 29 Apr 2016 18:46:16 +0200 Received: by nautica.notk.org (Postfix, from userid 1003) id 3EFDFC009; Fri, 29 Apr 2016 18:46:13 +0200 (CEST) Date: Fri, 29 Apr 2016 18:46:13 +0200 From: Adrien Nader To: caml-list@inria.fr Message-ID: <20160429164613.GB24608@notk.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="xgyAXRrhYN0wYx8y" Content-Disposition: inline User-Agent: Mutt/1.5.21 (2010-09-15) Subject: [Caml-list] [cve-assign@mitre.org] [oss-security] Re: buffer overflow and information leak in OCaml < 4.03.0 --xgyAXRrhYN0wYx8y Content-Type: text/plain; charset=utf-8 Content-Disposition: inline This is probably of interest to the list. PS: no credit goes to me, I'm merely subscribed to oss-security@ -- Adrien Nader --xgyAXRrhYN0wYx8y Content-Type: message/rfc822 Content-Disposition: inline Return-Path: X-Original-To: adrien@notk.org Delivered-To: adrien@notk.org Received: by nautica.notk.org (Postfix, from userid 108) id B64B4C01A; Fri, 29 Apr 2016 16:49:57 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on nautica.notk.org X-Spam-Level: X-Spam-Status: No, score=-2.3 required=5.0 tests=RCVD_IN_DNSWL_MED autolearn=unavailable version=3.3.2 Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by nautica.notk.org (Postfix) with SMTP id 1426DC009 for ; Fri, 29 Apr 2016 16:49:57 +0200 (CEST) Received: (qmail 29912 invoked by uid 550); 29 Apr 2016 14:49:24 -0000 Mailing-List: contact oss-security-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Reply-To: oss-security@lists.openwall.com Delivered-To: mailing list oss-security@lists.openwall.com Received: (qmail 29891 invoked from network); 29 Apr 2016 14:49:24 -0000 From: cve-assign@mitre.org To: cuoq@trust-in-soft.com Cc: cve-assign@mitre.org, oss-security@lists.openwall.com In-Reply-To: <4868d0749e044d6491f11118f6e10d45@S1688.EX1688.lan> Message-Id: <20160429144911.5DD178BC4E6@smtpvmsrv1.mitre.org> Date: Fri, 29 Apr 2016 10:49:11 -0400 (EDT) Subject: [oss-security] Re: buffer overflow and information leak in OCaml < 4.03.0 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > OCaml versions 4.02.3 and earlier have a runtime bug that, on 64-bit > platforms, causes sizes arguments to an internal memmove call to be > sign-extended from 32 to 64-bits before being passed to the memmove > function. > > This leads arguments between 2GiB and 4GiB to be interpreted as larger > than they are (specifically, a bit below 2^64), causing a buffer > overflow. > > Arguments between 4GiB and 6GiB are interpreted as 4GiB smaller than > they should be, causing a possible information leak. > > This commit fixes the bug: > https://github.com/ocaml/ocaml/commit/659615c7b100a89eafe6253e7a5b9d84d0e8df74#diff-a97df53e3ebc59bb457191b496c90762 > The function caml_bit_string is called indirectly from such functions > as String.copy. String.copy for instance is supposed to be a "safe" > function for which OCaml's memory safety guarantees apply. Use CVE-2015-8869. (We consider this a single "to be sign-extended from 32 to 64" issue even though there are two different types of impacts. Also, the structure of the code change ("Int_val" replaced by "Long_val") is the same everywhere. We did not consider it worthwhile to sort through the possible "independently encountered" aspects as mentioned, for example, in the https://github.com/ocaml/ocaml/commit/659615c7b100a89eafe6253e7a5b9d84d0e8df74#commitcomment-14040616 comment.) - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJXI3NXAAoJEHb/MwWLVhi2RdEQAI71I2vgUNPxtIPV5muuzuT/ BGlgZLTiWI6HgmFvV7mRtNonvKockAP150f7cArfGgsG13DVViE45IYCk4WHacnW aTfRtbPYBZ+eawApm1tWmSxXi4Idt2sSBPXxnA46vwKUZo3oDG8p0oxEanZ1O1Y6 v+zAL4vVNq+IdSnpPzwM368C/gc1KDBM0uLu7qVoV6E2qHriWXpWpEZ7MGqab5Dv 2/8ZhpdAnZDVzMSzGbKY+h1k1JjwWnIx3WmWzU65JKF3ccDtLyWy+LaRT5D63d/K f5orQDKfJyxc9UQIa+TH4waYQZ64f1xb5haTZaQv8tJVxlwVKD0vVk/eVrlN/r1e XXbtknwlMcWLf30hKqzOcDwAfWf2rPtUk5h6PotFVR42esLTTDg7BlIjYFilBXw0 AlVyDrZ4cBlnd3ZeeyJW2moEoErRlnYFrqdijjIBmHPokoPVAOUcfcU2saBfkFqP suYLBcMHrpvitrr4V5yu5T2ZYZI9DtEse+z3Oe+wupCemyfoXXcGvX7Kwz0j4oIk bFDuuKtNpo4do+2JkCwbczGwIGAyW20rBbyJqkMMGI1c3VlY/rzn8hES3ltKjVND 1WShu2c9wwyIhhYUKuacdx8RvuZinNBAlmkWdpNUI33XsVXmdRiEhjB+RGyvqv/X a2JgvU+8pOLRMJsRX7CA =BBAV -----END PGP SIGNATURE----- --xgyAXRrhYN0wYx8y--