Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id: <20160429144911.5DD178BC4E6@smtpvmsrv1.mitre.org>
Date: Fri, 29 Apr 2016 10:49:11 -0400 (EDT)
From: cve-assign@...re.org
To: cuoq@...st-in-soft.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: buffer overflow and information leak in OCaml < 4.03.0

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> OCaml versions 4.02.3 and earlier have a runtime bug that, on 64-bit
> platforms, causes sizes arguments to an internal memmove call to be
> sign-extended from 32 to 64-bits before being passed to the memmove
> function.
> 
> This leads arguments between 2GiB and 4GiB to be interpreted as larger
> than they are (specifically, a bit below 2^64), causing a buffer
> overflow.
> 
> Arguments between 4GiB and 6GiB are interpreted as 4GiB smaller than
> they should be, causing a possible information leak.
> 
> This commit fixes the bug:
> https://github.com/ocaml/ocaml/commit/659615c7b100a89eafe6253e7a5b9d84d0e8df74#diff-a97df53e3ebc59bb457191b496c90762
> The function caml_bit_string is called indirectly from such functions
> as String.copy. String.copy for instance is supposed to be a "safe"
> function for which OCaml's memory safety guarantees apply.

Use CVE-2015-8869.

(We consider this a single "to be sign-extended from 32 to 64" issue
even though there are two different types of impacts. Also, the
structure of the code change ("Int_val" replaced by "Long_val") is the
same everywhere. We did not consider it worthwhile to sort through the
possible "independently encountered" aspects as mentioned, for
example, in the
https://github.com/ocaml/ocaml/commit/659615c7b100a89eafe6253e7a5b9d84d0e8df74#commitcomment-14040616
comment.)

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXI3NXAAoJEHb/MwWLVhi2RdEQAI71I2vgUNPxtIPV5muuzuT/
BGlgZLTiWI6HgmFvV7mRtNonvKockAP150f7cArfGgsG13DVViE45IYCk4WHacnW
aTfRtbPYBZ+eawApm1tWmSxXi4Idt2sSBPXxnA46vwKUZo3oDG8p0oxEanZ1O1Y6
v+zAL4vVNq+IdSnpPzwM368C/gc1KDBM0uLu7qVoV6E2qHriWXpWpEZ7MGqab5Dv
2/8ZhpdAnZDVzMSzGbKY+h1k1JjwWnIx3WmWzU65JKF3ccDtLyWy+LaRT5D63d/K
f5orQDKfJyxc9UQIa+TH4waYQZ64f1xb5haTZaQv8tJVxlwVKD0vVk/eVrlN/r1e
XXbtknwlMcWLf30hKqzOcDwAfWf2rPtUk5h6PotFVR42esLTTDg7BlIjYFilBXw0
AlVyDrZ4cBlnd3ZeeyJW2moEoErRlnYFrqdijjIBmHPokoPVAOUcfcU2saBfkFqP
suYLBcMHrpvitrr4V5yu5T2ZYZI9DtEse+z3Oe+wupCemyfoXXcGvX7Kwz0j4oIk
bFDuuKtNpo4do+2JkCwbczGwIGAyW20rBbyJqkMMGI1c3VlY/rzn8hES3ltKjVND
1WShu2c9wwyIhhYUKuacdx8RvuZinNBAlmkWdpNUI33XsVXmdRiEhjB+RGyvqv/X
a2JgvU+8pOLRMJsRX7CA
=BBAV
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.