From mboxrd@z Thu Jan 1 00:00:00 1970 From: Julien Lepiller Subject: bug#27462: OCaml CVE-2015-8869 Date: Thu, 31 Jan 2019 18:30:27 +0100 Message-ID: <96513178-922C-49D6-AF32-0EF723343C8E@lepiller.eu> References: <20190131165613.GA27597@jurong> <20190131172113.GA29071@jurong> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([209.51.188.92]:44649) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gpGB5-0002HT-3N for bug-guix@gnu.org; Thu, 31 Jan 2019 12:31:04 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gpGB4-0007vZ-1u for bug-guix@gnu.org; Thu, 31 Jan 2019 12:31:03 -0500 Received: from debbugs.gnu.org ([209.51.188.43]:54008) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1gpGB3-0007vU-Ua for bug-guix@gnu.org; Thu, 31 Jan 2019 12:31:01 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1gpGB3-0006dy-QD for bug-guix@gnu.org; Thu, 31 Jan 2019 12:31:01 -0500 Sender: "Debbugs-submit" Resent-Message-ID: Received: from eggs.gnu.org ([209.51.188.92]:44576) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gpGAr-0002H9-3F for bug-guix@gnu.org; Thu, 31 Jan 2019 12:30:50 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gpGAp-0007rD-MN for bug-guix@gnu.org; Thu, 31 Jan 2019 12:30:49 -0500 Received: from lepiller.eu ([2a00:5884:8208::1]:40642) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1gpGAp-0007kX-Bx for bug-guix@gnu.org; Thu, 31 Jan 2019 12:30:47 -0500 In-Reply-To: <20190131172113.GA29071@jurong> List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: 27462@debbugs.gnu.org, andreas@enge.fr Le 31 janvier 2019 18:21:13 GMT+01:00, Andreas Enge a = =C3=A9crit : >On Thu, Jan 31, 2019 at 05:57:03PM +0100, Andreas Enge wrote: >> Are people using the software > >I suppose not, because one of its dependencies currently does not >build: > >=2E=2E=2E >phase `ocaml-findlib-environment' succeeded after 0=2E0 seconds >starting phase `configure' >build directory: >"/tmp/guix-build-ocaml4=2E01-gsl-1=2E22=2E0=2Edrv-0/gsl-1=2E22=2E0" >running 'configure' with arguments ("-prefix" >"/gnu/store/2f0wbxxpva9pnl4877hcr1k9gnawnbgc-ocaml4=2E01-gsl-1=2E22=2E0") >Backtrace: > 5 (primitive-load "/gnu/store/g4hk79x8kdpgnq87jhy6qjj9qa1=E2= =80=A6") >In ice-9/eval=2Escm: > 191:35 4 (_ _) >In srfi/srfi-1=2Escm: > 863:16 3 (every1 # =E2=80=A6) >In >/gnu/store/vnbx61brdhy87fhvwhrgf24qdgk1r4ww-module-import/guix/build/gnu-= build-system=2Escm: > 799:28 2 (_ _) >In >/gnu/store/vnbx61brdhy87fhvwhrgf24qdgk1r4ww-module-import/guix/build/ocam= l-build-system=2Escm: > 55:8 1 (configure #:outputs _ #:configure-flags _ #:test-flags =E2= =80=A6) >In >/gnu/store/vnbx61brdhy87fhvwhrgf24qdgk1r4ww-module-import/guix/build/util= s=2Escm: > 616:6 0 (invoke _ =2E _) > >/gnu/store/vnbx61brdhy87fhvwhrgf24qdgk1r4ww-module-import/guix/build/util= s=2Escm:616:6: >In procedure invoke: >Throw to key `srfi-34' with args `(#"=2E/configure" arguments: ("-prefix" >"/gnu/store/2f0wbxxpva9pnl4877hcr1k9gnawnbgc-ocaml4=2E01-gsl-1=2E22=2E0") >exit-status: 127 term-signal: #f stop-signal: #f] 491fc0>)'=2E >builder for >`/gnu/store/diyv95rimr1dl0m5n1ms8yclb6b139lc-ocaml4=2E01-gsl-1=2E22=2E0= =2Edrv' >failed with exit code 1 >build of >/gnu/store/diyv95rimr1dl0m5n1ms8yclb6b139lc-ocaml4=2E01-gsl-1=2E22=2E0=2E= drv >failed >=2E=2E=2E > >Shall we remove all the ocaml-4=2E01 universe? The next step would be >4=2E02, >it appears that the CVE is solved with 4=2E03 only: > >https://cve=2Emitre=2Eorg/cgi-bin/cvename=2Ecgi?name=3DCVE-2015-8869 > "OCaml before 4=2E03=2E0 does not properly handle=2E=2E=2E" > >Andreas I still care about ocaml-4=2E02, but I could probably update it to ocaml-4= =2E04 without breaking dependents=2E