'[oss-security] Re: buffer overflow and information leak in OCaml < 4.03.0'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Re: buffer overflow and information leak in OCaml < 4.03.0
From:       cve-assign () mitre ! org
Date:       2016-04-29 14:49:11
Message-ID: 20160429144911.5DD178BC4E6 () smtpvmsrv1 ! mitre ! org
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> OCaml versions 4.02.3 and earlier have a runtime bug that, on 64-bit
> platforms, causes sizes arguments to an internal memmove call to be
> sign-extended from 32 to 64-bits before being passed to the memmove
> function.
> 
> This leads arguments between 2GiB and 4GiB to be interpreted as larger
> than they are (specifically, a bit below 2^64), causing a buffer
> overflow.
> 
> Arguments between 4GiB and 6GiB are interpreted as 4GiB smaller than
> they should be, causing a possible information leak.
> 
> This commit fixes the bug:
> https://github.com/ocaml/ocaml/commit/659615c7b100a89eafe6253e7a5b9d84d0e8df74#diff-a97df53e3ebc59bb457191b496c90762
>  The function caml_bit_string is called indirectly from such functions
> as String.copy. String.copy for instance is supposed to be a "safe"
> function for which OCaml's memory safety guarantees apply.

Use CVE-2015-8869.

(We consider this a single "to be sign-extended from 32 to 64" issue
even though there are two different types of impacts. Also, the
structure of the code change ("Int_val" replaced by "Long_val") is the
same everywhere. We did not consider it worthwhile to sort through the
possible "independently encountered" aspects as mentioned, for
example, in the
https://github.com/ocaml/ocaml/commit/659615c7b100a89eafe6253e7a5b9d84d0e8df74#commitcomment-14040616
 comment.)

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXI3NXAAoJEHb/MwWLVhi2RdEQAI71I2vgUNPxtIPV5muuzuT/
BGlgZLTiWI6HgmFvV7mRtNonvKockAP150f7cArfGgsG13DVViE45IYCk4WHacnW
aTfRtbPYBZ+eawApm1tWmSxXi4Idt2sSBPXxnA46vwKUZo3oDG8p0oxEanZ1O1Y6
v+zAL4vVNq+IdSnpPzwM368C/gc1KDBM0uLu7qVoV6E2qHriWXpWpEZ7MGqab5Dv
2/8ZhpdAnZDVzMSzGbKY+h1k1JjwWnIx3WmWzU65JKF3ccDtLyWy+LaRT5D63d/K
f5orQDKfJyxc9UQIa+TH4waYQZ64f1xb5haTZaQv8tJVxlwVKD0vVk/eVrlN/r1e
XXbtknwlMcWLf30hKqzOcDwAfWf2rPtUk5h6PotFVR42esLTTDg7BlIjYFilBXw0
AlVyDrZ4cBlnd3ZeeyJW2moEoErRlnYFrqdijjIBmHPokoPVAOUcfcU2saBfkFqP
suYLBcMHrpvitrr4V5yu5T2ZYZI9DtEse+z3Oe+wupCemyfoXXcGvX7Kwz0j4oIk
bFDuuKtNpo4do+2JkCwbczGwIGAyW20rBbyJqkMMGI1c3VlY/rzn8hES3ltKjVND
1WShu2c9wwyIhhYUKuacdx8RvuZinNBAlmkWdpNUI33XsVXmdRiEhjB+RGyvqv/X
a2JgvU+8pOLRMJsRX7CA
=BBAV
-----END PGP SIGNATURE-----


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic