GNU bug report logs - #27462
OCaml CVE-2015-8869

Previous Next

Package: guix;

Reported by: Leo Famulari <leo <at> famulari.name>

Date: Fri, 23 Jun 2017 16:42:02 UTC

Severity: normal

Tags: security

Done: Julien Lepiller <julien <at> lepiller.eu>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Andreas Enge <andreas <at> enge.fr>
To: 27462 <at> debbugs.gnu.org
Cc: Ben Woodcroft <b.woodcroft <at> uq.edu.au>
Subject: bug#27462: OCaml CVE-2015-8869
Date: Thu, 31 Jan 2019 18:21:13 +0100

On Thu, Jan 31, 2019 at 05:57:03PM +0100, Andreas Enge wrote:
> Are people using the software

I suppose not, because one of its dependencies currently does not build:

...
phase `ocaml-findlib-environment' succeeded after 0.0 seconds
starting phase `configure'
build directory: "/tmp/guix-build-ocaml4.01-gsl-1.22.0.drv-0/gsl-1.22.0"
running 'configure' with arguments ("-prefix" "/gnu/store/2f0wbxxpva9pnl4877hcr1k9gnawnbgc-ocaml4.01-gsl-1.22.0")
Backtrace:
           5 (primitive-load "/gnu/store/g4hk79x8kdpgnq87jhy6qjj9qa1…")
In ice-9/eval.scm:
   191:35  4 (_ _)
In srfi/srfi-1.scm:
   863:16  3 (every1 #<procedure 6ef100 at /gnu/store/vnbx61brdhy87…> …)
In /gnu/store/vnbx61brdhy87fhvwhrgf24qdgk1r4ww-module-import/guix/build/gnu-build-system.scm:
   799:28  2 (_ _)
In /gnu/store/vnbx61brdhy87fhvwhrgf24qdgk1r4ww-module-import/guix/build/ocaml-build-system.scm:
     55:8  1 (configure #:outputs _ #:configure-flags _ #:test-flags …)
In /gnu/store/vnbx61brdhy87fhvwhrgf24qdgk1r4ww-module-import/guix/build/utils.scm:
    616:6  0 (invoke _ . _)

/gnu/store/vnbx61brdhy87fhvwhrgf24qdgk1r4ww-module-import/guix/build/utils.scm:616:6: In procedure invoke:
Throw to key `srfi-34' with args `(#<condition &invoke-error [program: "./configure" arguments: ("-prefix" "/gnu/store/2f0wbxxpva9pnl4877hcr1k9gnawnbgc-ocaml4.01-gsl-1.22.0") exit-status: 127 term-signal: #f stop-signal: #f] 491fc0>)'.
builder for `/gnu/store/diyv95rimr1dl0m5n1ms8yclb6b139lc-ocaml4.01-gsl-1.22.0.drv' failed with exit code 1
build of /gnu/store/diyv95rimr1dl0m5n1ms8yclb6b139lc-ocaml4.01-gsl-1.22.0.drv failed
...

Shall we remove all the ocaml-4.01 universe? The next step would be 4.02,
it appears that the CVE is solved with 4.03 only:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8869
   "OCaml before 4.03.0 does not properly handle..."

Andreas
This bug report was last modified 5 years and 326 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.