Your message dated Fri, 25 Jan 2019 15:00:47 +0000 with message-id <e1gn2yn-000b0d...@fasolo.debian.org> and subject line Bug#895472: fixed in ocaml 4.05.0-11 has caused the Debian Bug report #895472, regarding ocaml: CVE-2018-9838 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 895472: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895472 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: ocaml Version: 4.05.0-10 Severity: important Tags: security upstream Forwarded: https://caml.inria.fr/mantis/view.php?id=7765 Hi, The following vulnerability was published for ocaml. CVE-2018-9838[0]: | The caml_ba_deserialize function in byterun/bigarray.c in the standard | library in OCaml 4.06.0 has an integer overflow which, in situations | where marshalled data is accepted from an untrusted source, allows | remote attackers to cause a denial of service (memory corruption) or | possibly execute arbitrary code via a crafted object. A solution is still beeing discussed upstream in [2]. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-9838 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9838 [1] https://caml.inria.fr/mantis/view.php?id=7765 [2] https://github.com/ocaml/ocaml/pull/1718 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: ocaml Source-Version: 4.05.0-11 We believe that the bug you reported is fixed in the latest version of ocaml, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 895...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Stéphane Glondu <glo...@debian.org> (supplier of updated ocaml package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 25 Jan 2019 14:59:28 +0100 Source: ocaml Binary: ocaml ocaml-base ocaml-base-dbgsym ocaml-base-nox ocaml-base-nox-dbgsym ocaml-compiler-libs ocaml-interp ocaml-mode ocaml-nox ocaml-nox-dbgsym ocaml-source Architecture: source amd64 all Version: 4.05.0-11 Distribution: unstable Urgency: medium Maintainer: Debian OCaml Maintainers <debian-ocaml-ma...@lists.debian.org> Changed-By: Stéphane Glondu <glo...@debian.org> Description: ocaml - ML language implementation with a class-based object system ocaml-base - Runtime system for OCaml bytecode executables ocaml-base-nox - Runtime system for OCaml bytecode executables (no X) ocaml-compiler-libs - OCaml interpreter and standard libraries ocaml-interp - OCaml interactive interpreter and standard libraries ocaml-mode - major mode for editing Objective Caml in Emacs ocaml-nox - ML implementation with a class-based object system (no X) ocaml-source - Sources for Objective Caml Closes: 895472 895994 Changes: ocaml (4.05.0-11) unstable; urgency=medium . [ Ralf Treinen ] * Dropped "Recommends: camlp4" from ocaml-nox since that package is being deprecated. (Closes: #895994) . [ Stéphane Glondu ] * Fix integer overflows when unmarshaling a bigarray (Closes: #895472, CVE-2018-9838) * Update Vcs-* to point to salsa Checksums-Sha1: 37d9bf6495bf112f9261a580e2d4bc8cde7f38e7 2188 ocaml_4.05.0-11.dsc b497d05819ad5be9398e59e66311c3f0d3f91a66 47516 ocaml_4.05.0-11.debian.tar.xz fa2bd1020e7009a845e169967c644653e2ac612d 8432 ocaml-base-dbgsym_4.05.0-11_amd64.deb ea09bba58180bd30ca5d401b38fefe4343f50f3d 72076 ocaml-base-nox-dbgsym_4.05.0-11_amd64.deb e51de73897117e4886eec27643e4a63a15f4150c 653900 ocaml-base-nox_4.05.0-11_amd64.deb 9a3c1143c6bffab48b1449ba9821e1e62b2b9d8e 161208 ocaml-base_4.05.0-11_amd64.deb 94362422a396064737b3091b45b032157f30f416 19019648 ocaml-compiler-libs_4.05.0-11_amd64.deb ec0bd02f30a6d1c6de459489bac4cd220a774672 3581524 ocaml-interp_4.05.0-11_amd64.deb 6a2f2e3a5972171ba4c245f00b34b098e112f0bb 164272 ocaml-mode_4.05.0-11_all.deb 6e8d5f0145210ab2418d72c66a273d73655caf93 6813668 ocaml-nox-dbgsym_4.05.0-11_amd64.deb 3e1bfe4ec9932c1e87d9d1f34048414eb11ad092 27580180 ocaml-nox_4.05.0-11_amd64.deb 4803d9de49d6711fc3e62964e44b9bde0e1033ad 2571960 ocaml-source_4.05.0-11_all.deb d8235bfc79529116de61b2b2b6420ade6ff3716a 8864 ocaml_4.05.0-11_amd64.buildinfo c2d8ecd25019884dec947f8c1e6e1239505d3ca0 161904 ocaml_4.05.0-11_amd64.deb Checksums-Sha256: 40a7a550feaeff45a5ca81e904e6cce7752c5dfb6e94269ba155c38f979226cd 2188 ocaml_4.05.0-11.dsc 2e95316bd6637e02bed169e1e838a87bbe97ef1b8eee022e39a9ec7a196f42ba 47516 ocaml_4.05.0-11.debian.tar.xz 2f62dc50b796e8045719da00ebd8e0ff9f9fdf513b3351845c0b46dd7bade6ae 8432 ocaml-base-dbgsym_4.05.0-11_amd64.deb 23ea4155b20730377428235d5d011a42ec15c8334f488e59c99c6dd8c8119b05 72076 ocaml-base-nox-dbgsym_4.05.0-11_amd64.deb 139d0afe5839cb90f1e48b592771f245876d801d85b1640f07f272d63cfa8622 653900 ocaml-base-nox_4.05.0-11_amd64.deb 291620c7eff2713bc3c6d1a1ffb8caf788accca17c72fd0d3bdb760629d79082 161208 ocaml-base_4.05.0-11_amd64.deb 8064924bfcbf2286bf085ecbbcc048a3cc9097de4491df32bcbac46fc3331a40 19019648 ocaml-compiler-libs_4.05.0-11_amd64.deb 752ce942cc4c18d33e52133d4f2b5372a823009f9c52231547950e36ad14b95e 3581524 ocaml-interp_4.05.0-11_amd64.deb bcb77afe5c8a97ce72fcb48e436c2715d4da9167275d040be9de7100b26ee524 164272 ocaml-mode_4.05.0-11_all.deb 4355cc2bbc6ad3155982ddd07568a7e6d694f620831502224ac5ececb7750db3 6813668 ocaml-nox-dbgsym_4.05.0-11_amd64.deb 10d3279593f3e4ce39ba030cd54913555594257a43dcb11c1df0c1f6a95fd255 27580180 ocaml-nox_4.05.0-11_amd64.deb cf8b1ab47f659256a732520f41ab30c986f9ecd103691a14c4cf9c834d2ebe0b 2571960 ocaml-source_4.05.0-11_all.deb e75e88c20783229ddab4cf52d4bd76f8c5aebf88b5581b18334bf8ce9c288982 8864 ocaml_4.05.0-11_amd64.buildinfo 9ede37e4425e64bbe1c5f0d3e4c0d45f1333936cc71c02051099130e67aa9e28 161904 ocaml_4.05.0-11_amd64.deb Files: 00d89fde018e53c778e7f388440b6c03 2188 ocaml optional ocaml_4.05.0-11.dsc 6e392d1d2d54b71bc83d9ce28db0d8c4 47516 ocaml optional ocaml_4.05.0-11.debian.tar.xz 76f7619ecc402b7845dd136cb436f2c4 8432 debug optional ocaml-base-dbgsym_4.05.0-11_amd64.deb 606b17148d4c5405f0d6cd0993075500 72076 debug optional ocaml-base-nox-dbgsym_4.05.0-11_amd64.deb daba2401348b0bc84ce0514181226f12 653900 ocaml optional ocaml-base-nox_4.05.0-11_amd64.deb 8de425d5ebab7d24a754208c1c7740c7 161208 ocaml optional ocaml-base_4.05.0-11_amd64.deb d55218e699f742fcc18abc815f49beab 19019648 ocaml optional ocaml-compiler-libs_4.05.0-11_amd64.deb 9c79b6699b1d16b693f46c6787db914e 3581524 ocaml optional ocaml-interp_4.05.0-11_amd64.deb 829585a67bd1301e68d578bd02add060 164272 ocaml optional ocaml-mode_4.05.0-11_all.deb bebc7619106150c0554f7eec3e6e72e8 6813668 debug optional ocaml-nox-dbgsym_4.05.0-11_amd64.deb 826a2f4b6161400df5690da0cf626435 27580180 ocaml optional ocaml-nox_4.05.0-11_amd64.deb ef3bdae615a7bbcf2447a7647523d6ab 2571960 ocaml optional ocaml-source_4.05.0-11_all.deb 4e45ace35fabb6380bca4eccaa9707d7 8864 ocaml optional ocaml_4.05.0-11_amd64.buildinfo 67e8b6e9531426cef17c341c938d7268 161904 ocaml optional ocaml_4.05.0-11_amd64.deb -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEbeJOl+yohsxW5iUOIbju8bGJMIEFAlxLGR0ACgkQIbju8bGJ MIHqagf/elZxHis8GSjUsho+0JFXJCe/ghxkjR95QNmiWhNSH6Aavq4zA+u2S9k6 DphcP4zLJi67cascJgNQep4tFgh1ABW7xWiscVCJjk217p4wTB5p3qi0cIOhQDqV 2bVUakQtE9vIaM2X2x4wJgAZ6O2kKDdKpWzMAYP213T0wAI1JONYWyyoEMqgvJah /pAIBJ3Eicc4tg4VOe8DotOQtWGcnXdtTDKNtmxnn9+uojXU/ooEQRSSx0uSeasl ElpB05MCTqwaqQy+zVo9hEMmkdrjm6ocUqhZ/0K5xLxaQhvflMbgYjKLWqggpncy agrl+2bmHALo+R+G+rIR06SHQWMToA== =xGse -----END PGP SIGNATURE-----
--- End Message ---
