Bugzilla – Bug 977990
VUL-0: CVE-2015-8869: ocaml: buffer overflow and information leak
Last modified: 2020-06-12 20:48:38 UTC
CVE-2015-8869 References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8869 http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-8869.html
bugbot adjusting priority
If this is a runtime thing, shouldnt the affected binaries (libguestfs?) be rebuild with the fixed ocaml?
This is an autogenerated message for OBS integration: This bug (977990) was mentioned in https://build.opensuse.org/request/show/393716 13.2 / ocaml
Upstream patch: https://github.com/ocaml/ocaml/commit/659615c7b100a89eafe6253e7a5b9d84d0e8df74#diff-a97df53e3ebc59bb457191b496c90762 Submissions summary: | Codestream | Request # | |------------------|-----------| | SLE11SP4 | #114055 | | SLE12 | #114057 | | openSUSE 13.2 | #393716 | | openSUSE Leap | via SLE12 | | openSUSE Factory | #393717 |
openSUSE-SU-2016:1335-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 977990 CVE References: CVE-2015-8869 Sources used: openSUSE 13.2 (src): ocaml-4.01.0-6.4.1
(In reply to Olaf Hering from comment #2) > If this is a runtime thing, shouldnt the affected binaries (libguestfs?) be > rebuild with the fixed ocaml? I would say yes. See http://libguestfs.org/guestfs-security.1.html#cve-2015-8869 <cite> This vulnerability in OCaml might affect virt tools written in the OCaml programming language. It affects only 64 bit platforms. Because this bug affects code generation it is difficult to predict which precise software could be affected, and therefore our recommendation is that you recompile libguestfs using a version of the OCaml compiler where this bug has been fixed (or ask your Linux distro to do the same). </cite>
(In reply to Kristyna Streitova from comment #10) > I would say yes. See > http://libguestfs.org/guestfs-security.1.html#cve-2015-8869 I will setup a project and let build-compare figure it out.
Just a random sample from build-compare, after rebuilding pkgs with 13.2:Update:ocaml. Does this change have any effect at runtime? [ 56s] /usr/bin/ocamlfind differs in assembler output [ 56s] --- /tmp/tmp.xJp3nc7Tqe/tmp.dbf5Xbq1EN [ 56s] +++ /tmp/tmp.xJp3nc7Tqe/tmp.iwka8EMf4C [ 56s] @@ -72050,9 +72050,8 @@ [ 56s] [ 56s] caml_blit_string: [ 56s] sar %rcx [ 56s] - shl $something,%r8 [ 56s] sar %rsi [ 56s] - sar $something,%r8 [ 56s] + sar %r8 [ 56s] add %rdi,%rsi [ 56s] lea (%rcx,%rdx,1),%rdi [ 56s] sub $something,%rsp [ 56s] @@ -72061,7 +72060,7 @@ [ 56s] mov $something,%eax [ 56s] add $something,%rsp [ 56s] retq [ 56s] - nopl offset(%rax,%rax,1) [ 56s] + nopw %cs:offset(%rax,%rax,1) [ 56s] [ 56s] caml_fill_string: [ 56s] sar %rcx [ 56s] @@ -72102,20 +72101,16 @@ [ 56s] jmp <caml_is_printable + ofs> [ 56s] [ 56s] caml_bitvect_test: [ 56s] - sar %rsi [ 56s] + mov %rsi,%rcx [ 56s] mov $something,%eax [ 56s] - mov %esi,%edx [ 56s] - mov %esi,%ecx [ 56s] - sar $something,%edx [ 56s] + sar $something,%rsi [ 56s] + sar %rcx [ 56s] and $something,%ecx [ 56s] - movslq %edx,%rdx [ 56s] shl %cl,%eax [ 56s] - and (%rdx,%rdi,1),%al [ 56s] + and (%rsi,%rdi,1),%al [ 56s] movzbl %al,%eax [ 56s] lea offset(%rax,%rax,1),%rax [ 56s] retq [ 56s] - nopw %cs:offset(%rax,%rax,1) [ 56s] - nopl (%rax) [ 56s] [ 56s] caml_array_gather: [ 56s] push %r15
(In reply to Olaf Hering from comment #16) > [ 56s] /usr/bin/ocamlfind differs in assembler output The same change is found in /usr/share/coccinelle/spatch, /usr/bin/XML2Modelica , /usr/bin/virt-builder. Other packages seem to be ok. This is the list of rebuilds: brltty coccinelle kalzium libguestfs ocaml ocaml-facile ocaml-findlib ocaml-lablgtk2 plplot scilab unison
Only the x86_64 pkgs differ, i586 has no change in binary.
Closing as fixed.
SUSE-SU-2016:2192-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 977990 CVE References: CVE-2015-8869 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): ocaml-4.02.1-3.4 SUSE Linux Enterprise Debuginfo 11-SP4 (src): ocaml-4.02.1-3.4
SUSE-SU-2016:2194-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 977990 CVE References: CVE-2015-8869 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP1 (src): ocaml-4.02.3-6.6.14
openSUSE-SU-2016:2273-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 977990 CVE References: CVE-2015-8869 Sources used: openSUSE Leap 42.1 (src): ocaml-4.02.3-3.2