[Caml-list] [URGENT] To all macOS/BSD opam users: critical problem with camlp5 7.03

[Caml-list] [URGENT] To all macOS/BSD opam users: critical problem with camlp5 7.03

[Louis Gesbert]

!! opam users on macOS or BSD systems are at risk of losing their files
!! if they didn't update since Feb. 18th.

    Full details, including advice for restoring your system to safety, are
    available at https://opam.ocaml.org/blog/camlp5-system/


A problem was identified in February with the camlp5 7.03 package when 
installed via opam. Under certain circumstances, it is possible for the 
package removal instructions to execute `rm -rf /` with potentially
devastating consequences for your files if your rm command is non-GNU (and so 
doesn’t support the --preserve-root default option) which includes macOS and 
other BSDs.

Initially, this was seen non-fatally on GNU/Linux systems and it was believed 
to have been successfully patched on 18 Feb with only a 48 hour window for 
problems for anyone who updated opam between 16 and 18 Feb and then hadn’t 
updated since, however we failed to take upgrading the system
compiler into account. If you haven’t updated opam since 18 Feb 2018, have 
camlp5 installed in your system switch and upgrade your system compiler to 
OCaml 4.06.1 using your OS package manager, then your system is at risk from 
this issue.

Most regrettably, several users have been hit by this issue. This issue 
affects opam 1.x only - if you have been testing the opam 2 release candidate 
then your system is not affected (but we still recommend you run opam update 
regularly).

We are trying to reach as widely as possible in the hope that everyone will be 
safe from this issue. It is taken seriously, and sandboxing support for Linux 
and MacOS was added to the upcoming opam 2 Release Candidate 2, ensuring this 
kind of issue won't happen again in the future.

Louis Gesbert — OCamlPro