Hello community, here is the log from the commit of package ocaml for openSUSE:Factory checked in at 2018-04-22 14:31:42 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/ocaml (Old) and /work/SRC/openSUSE:Factory/.ocaml.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "ocaml" Sun Apr 22 14:31:42 2018 rev:64 rq:597155 version:4.05.0 Changes: -------- --- /work/SRC/openSUSE:Factory/ocaml/ocaml.changes 2018-04-06 17:46:36.677854350 +0200 +++ /work/SRC/openSUSE:Factory/.ocaml.new/ocaml.changes 2018-04-22 14:31:48.393975897 +0200 @@ -1,0 +2,10 @@ +Fri Apr 13 14:08:55 UTC 2018 - [email protected] + +- add ocaml-4.05.0-CVE-2018-9838.patch to fix integer overflows + when unmarshaling a bigarray. Malicious or corrupted marshaled + data can result in a bigarray with impossibly large dimensions + that cause overflow when computing the in-memory size of the + bigarray. Disaster ensues when the data is read in a too small + memory area [bnc#1088591] [CVE-2018-9838] + +------------------------------------------------------------------- New: ---- ocaml-4.05.0-CVE-2018-9838.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ocaml.spec ++++++ --- /var/tmp/diff_new_pack.codvS5/_old 2018-04-22 14:31:49.277943904 +0200 +++ /var/tmp/diff_new_pack.codvS5/_new 2018-04-22 14:31:49.285943614 +0200 @@ -61,6 +61,7 @@ Patch4: ocaml-configure-Allow-user-defined-C-compiler-flags.patch Patch5: ocaml-3.08.3-gcc4.patch Patch7: ocaml-3.09-emacs_localcompile.patch +Patch8: ocaml-4.05.0-CVE-2018-9838.patch # This gets ocamlobjinfo to work with .cmxs files BuildRequires: binutils-devel BuildRequires: emacs-nox ++++++ ocaml-4.05.0-CVE-2018-9838.patch ++++++ >From 76566ed26c84e6fe800a67b62edbd260ccc30ef9 Mon Sep 17 00:00:00 2001 From: Xavier Leroy <[email protected]> Date: Wed, 11 Apr 2018 12:05:08 +0200 Subject: [PATCH] MPR7765: integer overflows when unmarshaling a bigarray Malicious or corrupted marshaled data can result in a bigarray with impossibly large dimensions that cause overflow when computing the in-memory size of the bigarray. Disaster ensues when the data is read in a too small memory area. This commit checks for overflows when computing the in-memory size of the bigarray. Index: ocaml-4.05.0/otherlibs/bigarray/bigarray_stubs.c =================================================================== --- ocaml-4.05.0.orig/otherlibs/bigarray/bigarray_stubs.c +++ ocaml-4.05.0/otherlibs/bigarray/bigarray_stubs.c @@ -966,22 +966,31 @@ static void caml_ba_deserialize_longarra uintnat caml_ba_deserialize(void * dst) { struct caml_ba_array * b = dst; - int i, elt_size; - uintnat num_elts; + int i; + uintnat num_elts, size; /* Read back header information */ b->num_dims = caml_deserialize_uint_4(); + if (b->num_dims < 0 || b->num_dims > CAML_BA_MAX_NUM_DIMS) + caml_deserialize_error("input_value: wrong number of bigarray dimensions"); b->flags = caml_deserialize_uint_4() | CAML_BA_MANAGED; b->proxy = NULL; for (i = 0; i < b->num_dims; i++) b->dim[i] = caml_deserialize_uint_4(); - /* Compute total number of elements */ - num_elts = caml_ba_num_elts(b); - /* Determine element size in bytes */ + /* Compute total number of elements. Watch out for overflows (MPR#7765). */ + num_elts = 1; + for (i = 0; i < b->num_dims; i++) { + if (caml_umul_overflow(num_elts, b->dim[i], &num_elts)) + caml_deserialize_error("input_value: size overflow for bigarray"); + } + /* Determine element size in bytes. Watch out for overflows (MPR#7765). */ if ((b->flags & CAML_BA_KIND_MASK) > CAML_BA_CHAR) caml_deserialize_error("input_value: bad bigarray kind"); - elt_size = caml_ba_element_size[b->flags & CAML_BA_KIND_MASK]; + if (caml_umul_overflow(num_elts, + caml_ba_element_size[b->flags & CAML_BA_KIND_MASK], + &size)) + caml_deserialize_error("input_value: size overflow for bigarray"); /* Allocate room for data */ - b->data = malloc(elt_size * num_elts); + b->data = malloc(size); if (b->data == NULL) caml_deserialize_error("input_value: out of memory for bigarray"); /* Read data */
