[Bug 223039] lang/ocaml: generating insecure code before 4.03

[bugzilla-noreply at freebsd.org]

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=223039

            Bug ID: 223039
           Summary: lang/ocaml: generating insecure code before 4.03
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: Individual Port(s)
          Assignee: freebsd-ports-bugs at FreeBSD.org
          Reporter: freebsd at phil.spodhuis.org
                CC: michipili at gmail.com
             Flags: maintainer-feedback?(michipili at gmail.com)
                CC: michipili at gmail.com

This should be tracked as a security problem; per:

  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8869

the OCaml compiler before version 4.03 generates insecure code, mis-handling
sign extensions resulting in remote code execution vulnerabilities in software
written in OCaml, if it accepts network connections.

Example network-connection-accepting OCaml software in Ports:  security/sks

The current packaging is 4.02.3, not 4.03+, thus all OCaml code being compiled
on FreeBSD using the compiler in Ports should be considered vulnerable, per my
understanding of the CVE.

There is work in progress for one possible path forward in bug 218333; whether
this security-issue bug ends up marked as a dup or prompts shorter-term fast
work to update the compiler, is a matter for the Security & Ports folks of
FreeBSD to decide, but I felt it worth having a tracking bug for the security
implications rather than one possible remediation path.

-- 
You are receiving this mail because:
You are the assignee for the bug.