#27462 OCaml CVE-2015-8869

Message #5 received at submit@debbugs.gnu.org (full text, mbox, reply):

From: Leo Famulari <leo@famulari.name>

To: bug-guix@gnu.org

Subject: OCaml CVE-2015-8869

Date: Fri, 23 Jun 2017 12:41:29 -0400

[Message part 1 (text/plain, inline)]

Our package ocaml-4.01 is vulnerable to CVE-2015-8869, which we patched
in the primary ocaml package in April 2016. Unfortunately, this patch
was not included when the ocaml-4.01 package was created in January
2017.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8869

Do we need this older version of OCaml? If so, we need a volunteer to
maintain it.

[signature.asc (application/pgp-signature, inline)]

Message #8 received at 27462@debbugs.gnu.org (full text, mbox, reply):

From: Ben Woodcroft <b.woodcroft@uq.edu.au>

To: Leo Famulari <leo@famulari.name>, 27462@debbugs.gnu.org

Subject: Re: bug#27462: OCaml CVE-2015-8869

Date: Sat, 24 Jun 2017 10:25:52 +1000

Hi Leo,


On 24/06/17 02:41, Leo Famulari wrote:
> Our package ocaml-4.01 is vulnerable to CVE-2015-8869, which we patched
> in the primary ocaml package in April 2016. Unfortunately, this patch
> was not included when the ocaml-4.01 package was created in January
> 2017.
>
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8869
>
> Do we need this older version of OCaml? If so, we need a volunteer to
> maintain it.

Thanks for pointing this out. AFAIK OCaml 4.01 is really only used to 
build pplacer, a bioinformatics program. I was planning on submitting 3 
further bioinformatic packages soon which rely on pplacer, however.

I'm not sure I have the bandwidth to backport patches to such an old 
release, especially since the OCaml maintainers do not appear to be 
either, AFAICS.

This is a little frustrating, but perhaps they should be removed. WDYT?

ben

Message #11 received at 27462@debbugs.gnu.org (full text, mbox, reply):

From: Leo Famulari <leo@famulari.name>

To: Ben Woodcroft <b.woodcroft@uq.edu.au>

Cc: 27462@debbugs.gnu.org

Subject: Re: bug#27462: OCaml CVE-2015-8869

Date: Sat, 24 Jun 2017 12:03:04 -0400

[Message part 1 (text/plain, inline)]

On Sat, Jun 24, 2017 at 10:25:52AM +1000, Ben Woodcroft wrote:
> On 24/06/17 02:41, Leo Famulari wrote:
> > Our package ocaml-4.01 is vulnerable to CVE-2015-8869, which we patched
> > in the primary ocaml package in April 2016. Unfortunately, this patch
> > was not included when the ocaml-4.01 package was created in January
> > 2017.
> > 
> > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8869
> > 
> > Do we need this older version of OCaml? If so, we need a volunteer to
> > maintain it.
> 
> Thanks for pointing this out. AFAIK OCaml 4.01 is really only used to build
> pplacer, a bioinformatics program. I was planning on submitting 3 further
> bioinformatic packages soon which rely on pplacer, however.
> 
> I'm not sure I have the bandwidth to backport patches to such an old
> release, especially since the OCaml maintainers do not appear to be either,
> AFAICS.
> 
> This is a little frustrating, but perhaps they should be removed. WDYT?

That is a last resort :)

We should check if another distro has a patch for OCaml 4.01, if we can
backport the patch, if pplacer can use a newer OCaml, and only then
consider removing the packages.

[signature.asc (application/pgp-signature, inline)]

Message #16 received at 27462@debbugs.gnu.org (full text, mbox, reply):

From: Andreas Enge <andreas@enge.fr>

To: 27462@debbugs.gnu.org

Cc: Ben Woodcroft <b.woodcroft@uq.edu.au>

Subject: OCaml CVE-2015-8869

Date: Thu, 31 Jan 2019 17:57:03 +0100

Hello,

this bug has been open for quite a while, and the development of pplacer seems
to be stalled, with the latest commit in May 2018, and no reaction whatsoever
to Ben's bug report
   https://github.com/matsen/pplacer/issues/354

How should we continue? Are people using the software, or should we maybe
remove it?

Andreas

Message #19 received at 27462@debbugs.gnu.org (full text, mbox, reply):

From: Andreas Enge <andreas@enge.fr>

To: 27462@debbugs.gnu.org

Cc: Ben Woodcroft <b.woodcroft@uq.edu.au>

Subject: Re: OCaml CVE-2015-8869

Date: Thu, 31 Jan 2019 18:21:13 +0100

On Thu, Jan 31, 2019 at 05:57:03PM +0100, Andreas Enge wrote:
> Are people using the software

I suppose not, because one of its dependencies currently does not build:

...
phase `ocaml-findlib-environment' succeeded after 0.0 seconds
starting phase `configure'
build directory: "/tmp/guix-build-ocaml4.01-gsl-1.22.0.drv-0/gsl-1.22.0"
running 'configure' with arguments ("-prefix" "/gnu/store/2f0wbxxpva9pnl4877hcr1k9gnawnbgc-ocaml4.01-gsl-1.22.0")
Backtrace:
           5 (primitive-load "/gnu/store/g4hk79x8kdpgnq87jhy6qjj9qa1…")
In ice-9/eval.scm:
   191:35  4 (_ _)
In srfi/srfi-1.scm:
   863:16  3 (every1 #<procedure 6ef100 at /gnu/store/vnbx61brdhy87…> …)
In /gnu/store/vnbx61brdhy87fhvwhrgf24qdgk1r4ww-module-import/guix/build/gnu-build-system.scm:
   799:28  2 (_ _)
In /gnu/store/vnbx61brdhy87fhvwhrgf24qdgk1r4ww-module-import/guix/build/ocaml-build-system.scm:
     55:8  1 (configure #:outputs _ #:configure-flags _ #:test-flags …)
In /gnu/store/vnbx61brdhy87fhvwhrgf24qdgk1r4ww-module-import/guix/build/utils.scm:
    616:6  0 (invoke _ . _)

/gnu/store/vnbx61brdhy87fhvwhrgf24qdgk1r4ww-module-import/guix/build/utils.scm:616:6: In procedure invoke:
Throw to key `srfi-34' with args `(#<condition &invoke-error [program: "./configure" arguments: ("-prefix" "/gnu/store/2f0wbxxpva9pnl4877hcr1k9gnawnbgc-ocaml4.01-gsl-1.22.0") exit-status: 127 term-signal: #f stop-signal: #f] 491fc0>)'.
builder for `/gnu/store/diyv95rimr1dl0m5n1ms8yclb6b139lc-ocaml4.01-gsl-1.22.0.drv' failed with exit code 1
build of /gnu/store/diyv95rimr1dl0m5n1ms8yclb6b139lc-ocaml4.01-gsl-1.22.0.drv failed
...

Shall we remove all the ocaml-4.01 universe? The next step would be 4.02,
it appears that the CVE is solved with 4.03 only:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8869
   "OCaml before 4.03.0 does not properly handle..."

Andreas

Message #22 received at submit@debbugs.gnu.org (full text, mbox, reply):

From: swedebugia <swedebugia@riseup.net>

To: bug-guix@gnu.org

Subject: Re: bug#27462: OCaml CVE-2015-8869

Date: Thu, 31 Jan 2019 18:26:32 +0100

On 2019-01-31 17:57, Andreas Enge wrote:
> Hello,
> 
> this bug has been open for quite a while, and the development of pplacer seems
> to be stalled, with the latest commit in May 2018, and no reaction whatsoever
> to Ben's bug report
>     https://github.com/matsen/pplacer/issues/354
> 
> How should we continue? Are people using the software, or should we maybe
> remove it?

Remove sounds good to me.

-- 
Cheers Swedebugia

Message #25 received at submit@debbugs.gnu.org (full text, mbox, reply):

From: Julien Lepiller <julien@lepiller.eu>

To: bug-guix@gnu.org,Andreas Enge <andreas@enge.fr>,27462@debbugs.gnu.org

Subject: Re: bug#27462: OCaml CVE-2015-8869

Date: Thu, 31 Jan 2019 18:30:27 +0100

Le 31 janvier 2019 18:21:13 GMT+01:00, Andreas Enge <andreas@enge.fr> a écrit :
>On Thu, Jan 31, 2019 at 05:57:03PM +0100, Andreas Enge wrote:
>> Are people using the software
>
>I suppose not, because one of its dependencies currently does not
>build:
>
>...
>phase `ocaml-findlib-environment' succeeded after 0.0 seconds
>starting phase `configure'
>build directory:
>"/tmp/guix-build-ocaml4.01-gsl-1.22.0.drv-0/gsl-1.22.0"
>running 'configure' with arguments ("-prefix"
>"/gnu/store/2f0wbxxpva9pnl4877hcr1k9gnawnbgc-ocaml4.01-gsl-1.22.0")
>Backtrace:
>           5 (primitive-load "/gnu/store/g4hk79x8kdpgnq87jhy6qjj9qa1…")
>In ice-9/eval.scm:
>   191:35  4 (_ _)
>In srfi/srfi-1.scm:
>  863:16  3 (every1 #<procedure 6ef100 at /gnu/store/vnbx61brdhy87…> …)
>In
>/gnu/store/vnbx61brdhy87fhvwhrgf24qdgk1r4ww-module-import/guix/build/gnu-build-system.scm:
>   799:28  2 (_ _)
>In
>/gnu/store/vnbx61brdhy87fhvwhrgf24qdgk1r4ww-module-import/guix/build/ocaml-build-system.scm:
>     55:8  1 (configure #:outputs _ #:configure-flags _ #:test-flags …)
>In
>/gnu/store/vnbx61brdhy87fhvwhrgf24qdgk1r4ww-module-import/guix/build/utils.scm:
>    616:6  0 (invoke _ . _)
>
>/gnu/store/vnbx61brdhy87fhvwhrgf24qdgk1r4ww-module-import/guix/build/utils.scm:616:6:
>In procedure invoke:
>Throw to key `srfi-34' with args `(#<condition &invoke-error [program:
>"./configure" arguments: ("-prefix"
>"/gnu/store/2f0wbxxpva9pnl4877hcr1k9gnawnbgc-ocaml4.01-gsl-1.22.0")
>exit-status: 127 term-signal: #f stop-signal: #f] 491fc0>)'.
>builder for
>`/gnu/store/diyv95rimr1dl0m5n1ms8yclb6b139lc-ocaml4.01-gsl-1.22.0.drv'
>failed with exit code 1
>build of
>/gnu/store/diyv95rimr1dl0m5n1ms8yclb6b139lc-ocaml4.01-gsl-1.22.0.drv
>failed
>...
>
>Shall we remove all the ocaml-4.01 universe? The next step would be
>4.02,
>it appears that the CVE is solved with 4.03 only:
>
>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8869
>   "OCaml before 4.03.0 does not properly handle..."
>
>Andreas

I still care about ocaml-4.02, but I could probably update it to ocaml-4.04 without breaking dependents.

Message #31 received at 27462@debbugs.gnu.org (full text, mbox, reply):

From: Andreas Enge <andreas@enge.fr>

To: Julien Lepiller <julien@lepiller.eu>

Cc: 27462@debbugs.gnu.org, bug-guix@gnu.org

Subject: Re: bug#27462: OCaml CVE-2015-8869

Date: Tue, 19 Feb 2019 23:17:52 +0100

On Thu, Jan 31, 2019 at 06:30:27PM +0100, Julien Lepiller wrote:
> I still care about ocaml-4.02, but I could probably update it to ocaml-4.04 without breaking dependents.

Commits 2e125ece093ef842ca017ffb146cbc5fa33f2f75 and
4982c0c98deecea0d4f69f14ea28cab53b5f2123 remove ocaml@4.01, pplacer and
all other dependent packages.

Is ocaml@4.02 really needed? It would be nice to get rid of a package
with CVE.

Andreas

Message #37 received at 27462@debbugs.gnu.org (full text, mbox, reply):

From: Julien Lepiller <julien@lepiller.eu>

To: Andreas Enge <andreas@enge.fr>

Cc: 27462@debbugs.gnu.org

Subject: Re: bug#27462: OCaml CVE-2015-8869

Date: Wed, 20 Feb 2019 09:39:20 +0100

Le 19 février 2019 23:17:52 GMT+01:00, Andreas Enge <andreas@enge.fr> a écrit :
>On Thu, Jan 31, 2019 at 06:30:27PM +0100, Julien Lepiller wrote:
>> I still care about ocaml-4.02, but I could probably update it to
>ocaml-4.04 without breaking dependents.
>
>Commits 2e125ece093ef842ca017ffb146cbc5fa33f2f75 and
>4982c0c98deecea0d4f69f14ea28cab53b5f2123 remove ocaml@4.01, pplacer and
>all other dependent packages.
>
>Is ocaml@4.02 really needed? It would be nice to get rid of a package
>with CVE.
>
>Andreas

At this point, we only need it for bap and dependencies. I've added dependencies for the latest bap commit that work with the latest ocaml, but they haven't released a new version yet. Can we wait a bit longer?

Another solution would be to jump to ocaml 4.05 and re-package another version of ~50 dependencies. I don't really want to do that…

Message #40 received at 27462@debbugs.gnu.org (full text, mbox, reply):

From: Andreas Enge <andreas@enge.fr>

To: Julien Lepiller <julien@lepiller.eu>

Cc: 27462@debbugs.gnu.org

Subject: Re: bug#27462: OCaml CVE-2015-8869

Date: Wed, 20 Feb 2019 12:27:47 +0100

On Wed, Feb 20, 2019 at 09:39:20AM +0100, Julien Lepiller wrote:
> At this point, we only need it for bap and dependencies. I've added dependencies for the latest bap commit that work with the latest ocaml, but they haven't released a new version yet. Can we wait a bit longer?
> 
> Another solution would be to jump to ocaml 4.05 and re-package another version of ~50 dependencies. I don't really want to do that…

I understand! Waiting a bit more should be okay given how long this bug
is already open... Or packaging a current snapshot of bap (with suitable
numbering as laid out, I think, in the documentation, so that users
will upgrade automatically from the current version over the snapshot to
the next released version).

Thanks,

Andreas

Message #45 received at 27462-done@debbugs.gnu.org (full text, mbox, reply):

From: Julien Lepiller <julien@lepiller.eu>

To: 27462-done@debbugs.gnu.org

Subject: OCaml CVE-2015-8869

Date: Fri, 05 Jul 2019 14:12:56 +0200

Ocaml-4.02 was removed a few months ago in c3634df2 but I forgot to close this bug report.

Send a report that this bug log contains spam.