From : Damien Doligez <Damien.Doligez AT inria.fr>

: Damien Doligez <Damien.Doligez AT inria.fr> To : caml announce <caml-announce AT inria.fr>, caml users <caml-list AT inria.fr>

: caml announce <caml-announce AT inria.fr>, caml users <caml-list AT inria.fr> Subject : [Caml-list] OCaml release 4.04.2

: [Caml-list] OCaml release 4.04.2 Date: Fri, 23 Jun 2017 17:18:44 +0200

Dear OCaml users,We have the pleasure of celebrating the birthday of Alan Turing byannouncing the release of OCaml version 4.04.2.This minor release fixes the security issue described inCVE-2017-9772 (included below).All users should eventually upgrade to 4.04.2 from 4.04.0 and 4.04.1.Any user who produces setuid programs with OCaml should read the CVEand upgrade immediately.It is available as an OPAM switch, or as a source download here:Happy hacking,-- Damien Doligez for the OCaml team.OCaml 4.04.2 (23 Jun 2017):---------------------------### Security fix:- PR#7557: Local privilege escalation issue with ocaml binaries.(Damien Doligez, report by Eric Milliken, review by Xavier Leroy)--------------------------------------------------------------------CVE-2017-9772: Privilege escalation in OCaml runtime for SUID executablesThe environment variables CAML_CPLUGINS, CAML_NATIVE_CPLUGINS, andCAML_BYTE_CPLUGINS can be used to auto-load code into any ocamlopt-compiledexecutable or any ocamlc-compiled executable in ‘custom runtime mode’.This can lead to privilege escalation if the executable is marked setuid.Vulnerable versions: OCaml 4.04.0 and 4.04.1Workarounds:- Upgrade to OCaml 4.04.2 or higher.or - Compile the OCaml distribution with the "-no-cplugins" configure option.or - OPAM users can "opam update && opam switch recompile 4.04.1", asthe repository has had backported patches applied.Impact: This only affects binaries that have been installed on Unix-likeoperating systems (including Linux and macOS) with the setuid bit set.However, in that situation, any user who execute the program gains allthe privileges of the owner of the executable (meaning that root-ownedsetuid executables provide root access).Fix: OCaml 4.04.2 mitigates this by modifying Sys.getenv and Unix.getenvto raise an exception if the process has ever had elevated privileges.The OCaml runtime has also been modified to use this function forretrieving all of the runtime environment variables which could potentiallycause files to be accessed or modified. The older behaviour is availablein Sys.unsafe_getenv for applications that require strict compatibility.Credits: This was originally reported by Eric Milliken on the OCaml Mantisbug tracker. https://caml.inria.fr/mantis/view.php?id=7557 References: see CVE-2017-9779 for a lesser vulnerability in older versions.CVSS v2 Vector:AV:L/AC:L/Au:S/C:C/I:C/A:N/E:F/RL:OF/RC:C/CDP:H/TD:L/CR:H/IR:H/AR:LCWE ID: 114