GNU bug report logs - #27462
OCaml CVE-2015-8869

Package: guix;

Reported by: Leo Famulari <leo <at> famulari.name>

Date: Fri, 23 Jun 2017 16:42:02 UTC

Severity: normal

Tags: security

Done: Julien Lepiller <julien <at> lepiller.eu>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 27462 in the body.
You can then email your comments to 27462 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to bug-guix <at> gnu.org:
bug#27462; Package guix. (Fri, 23 Jun 2017 16:42:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Leo Famulari <leo <at> famulari.name>:
New bug report received and forwarded. Copy sent to bug-guix <at> gnu.org. (Fri, 23 Jun 2017 16:42:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: bug-guix <at> gnu.org
Subject: OCaml CVE-2015-8869 
Date: Fri, 23 Jun 2017 12:41:29 -0400

[Message part 1 (text/plain, inline)]

Our package ocaml-4.01 is vulnerable to CVE-2015-8869, which we patched
in the primary ocaml package in April 2016. Unfortunately, this patch
was not included when the ocaml-4.01 package was created in January
2017.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8869

Do we need this older version of OCaml? If so, we need a volunteer to
maintain it.

[signature.asc (application/pgp-signature, inline)]

Information forwarded to bug-guix <at> gnu.org:
bug#27462; Package guix. (Sat, 24 Jun 2017 00:27:01 GMT) Full text and rfc822 format available.

Message #8 received at 27462 <at> debbugs.gnu.org (full text, mbox):

From: Ben Woodcroft <b.woodcroft <at> uq.edu.au>
To: Leo Famulari <leo <at> famulari.name>, 27462 <at> debbugs.gnu.org
Subject: Re: bug#27462: OCaml CVE-2015-8869
Date: Sat, 24 Jun 2017 10:25:52 +1000

Hi Leo,

On 24/06/17 02:41, Leo Famulari wrote:
> Our package ocaml-4.01 is vulnerable to CVE-2015-8869, which we patched
> in the primary ocaml package in April 2016. Unfortunately, this patch
> was not included when the ocaml-4.01 package was created in January
> 2017.
>
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8869
>
> Do we need this older version of OCaml? If so, we need a volunteer to
> maintain it.

Thanks for pointing this out. AFAIK OCaml 4.01 is really only used to 
build pplacer, a bioinformatics program. I was planning on submitting 3 
further bioinformatic packages soon which rely on pplacer, however.

I'm not sure I have the bandwidth to backport patches to such an old 
release, especially since the OCaml maintainers do not appear to be 
either, AFAICS.

This is a little frustrating, but perhaps they should be removed. WDYT?

ben

Information forwarded to bug-guix <at> gnu.org:
bug#27462; Package guix. (Sat, 24 Jun 2017 16:04:02 GMT) Full text and rfc822 format available.

Message #11 received at 27462 <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: Ben Woodcroft <b.woodcroft <at> uq.edu.au>
Cc: 27462 <at> debbugs.gnu.org
Subject: Re: bug#27462: OCaml CVE-2015-8869
Date: Sat, 24 Jun 2017 12:03:04 -0400

[Message part 1 (text/plain, inline)]

On Sat, Jun 24, 2017 at 10:25:52AM +1000, Ben Woodcroft wrote:
> On 24/06/17 02:41, Leo Famulari wrote:
> > Our package ocaml-4.01 is vulnerable to CVE-2015-8869, which we patched
> > in the primary ocaml package in April 2016. Unfortunately, this patch
> > was not included when the ocaml-4.01 package was created in January
> > 2017.
> > 
> > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8869
> > 
> > Do we need this older version of OCaml? If so, we need a volunteer to
> > maintain it.
> 
> Thanks for pointing this out. AFAIK OCaml 4.01 is really only used to build
> pplacer, a bioinformatics program. I was planning on submitting 3 further
> bioinformatic packages soon which rely on pplacer, however.
> 
> I'm not sure I have the bandwidth to backport patches to such an old
> release, especially since the OCaml maintainers do not appear to be either,
> AFAICS.
> 
> This is a little frustrating, but perhaps they should be removed. WDYT?

That is a last resort :)

We should check if another distro has a patch for OCaml 4.01, if we can
backport the patch, if pplacer can use a newer OCaml, and only then
consider removing the packages.

[signature.asc (application/pgp-signature, inline)]

Added tag(s) security. Request was from ludo <at> gnu.org (Ludovic Courtès) to control <at> debbugs.gnu.org. (Thu, 27 Jul 2017 12:26:02 GMT) Full text and rfc822 format available.

Information forwarded to bug-guix <at> gnu.org:
bug#27462; Package guix. (Thu, 31 Jan 2019 16:58:02 GMT) Full text and rfc822 format available.

Message #16 received at 27462 <at> debbugs.gnu.org (full text, mbox):

From: Andreas Enge <andreas <at> enge.fr>
To: 27462 <at> debbugs.gnu.org
Cc: Ben Woodcroft <b.woodcroft <at> uq.edu.au>
Subject: OCaml CVE-2015-8869
Date: Thu, 31 Jan 2019 17:57:03 +0100

Hello,

this bug has been open for quite a while, and the development of pplacer seems
to be stalled, with the latest commit in May 2018, and no reaction whatsoever
to Ben's bug report
   https://github.com/matsen/pplacer/issues/354

How should we continue? Are people using the software, or should we maybe
remove it?

Andreas

Information forwarded to bug-guix <at> gnu.org:
bug#27462; Package guix. (Thu, 31 Jan 2019 17:22:01 GMT) Full text and rfc822 format available.

Message #19 received at 27462 <at> debbugs.gnu.org (full text, mbox):

From: Andreas Enge <andreas <at> enge.fr>
To: 27462 <at> debbugs.gnu.org
Cc: Ben Woodcroft <b.woodcroft <at> uq.edu.au>
Subject: Re: OCaml CVE-2015-8869
Date: Thu, 31 Jan 2019 18:21:13 +0100

On Thu, Jan 31, 2019 at 05:57:03PM +0100, Andreas Enge wrote:
> Are people using the software

I suppose not, because one of its dependencies currently does not build:

...
phase `ocaml-findlib-environment' succeeded after 0.0 seconds
starting phase `configure'
build directory: "/tmp/guix-build-ocaml4.01-gsl-1.22.0.drv-0/gsl-1.22.0"
running 'configure' with arguments ("-prefix" "/gnu/store/2f0wbxxpva9pnl4877hcr1k9gnawnbgc-ocaml4.01-gsl-1.22.0")
Backtrace:
           5 (primitive-load "/gnu/store/g4hk79x8kdpgnq87jhy6qjj9qa1…")
In ice-9/eval.scm:
   191:35  4 (_ _)
In srfi/srfi-1.scm:
   863:16  3 (every1 #<procedure 6ef100 at /gnu/store/vnbx61brdhy87…> …)
In /gnu/store/vnbx61brdhy87fhvwhrgf24qdgk1r4ww-module-import/guix/build/gnu-build-system.scm:
   799:28  2 (_ _)
In /gnu/store/vnbx61brdhy87fhvwhrgf24qdgk1r4ww-module-import/guix/build/ocaml-build-system.scm:
     55:8  1 (configure #:outputs _ #:configure-flags _ #:test-flags …)
In /gnu/store/vnbx61brdhy87fhvwhrgf24qdgk1r4ww-module-import/guix/build/utils.scm:
    616:6  0 (invoke _ . _)

/gnu/store/vnbx61brdhy87fhvwhrgf24qdgk1r4ww-module-import/guix/build/utils.scm:616:6: In procedure invoke:
Throw to key `srfi-34' with args `(#<condition &invoke-error [program: "./configure" arguments: ("-prefix" "/gnu/store/2f0wbxxpva9pnl4877hcr1k9gnawnbgc-ocaml4.01-gsl-1.22.0") exit-status: 127 term-signal: #f stop-signal: #f] 491fc0>)'.
builder for `/gnu/store/diyv95rimr1dl0m5n1ms8yclb6b139lc-ocaml4.01-gsl-1.22.0.drv' failed with exit code 1
build of /gnu/store/diyv95rimr1dl0m5n1ms8yclb6b139lc-ocaml4.01-gsl-1.22.0.drv failed
...

Shall we remove all the ocaml-4.01 universe? The next step would be 4.02,
it appears that the CVE is solved with 4.03 only:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8869
   "OCaml before 4.03.0 does not properly handle..."

Andreas

Information forwarded to bug-guix <at> gnu.org:
bug#27462; Package guix. (Thu, 31 Jan 2019 17:27:02 GMT) Full text and rfc822 format available.

Message #22 received at submit <at> debbugs.gnu.org (full text, mbox):

From: swedebugia <swedebugia <at> riseup.net>
To: bug-guix <at> gnu.org
Subject: Re: bug#27462: OCaml CVE-2015-8869
Date: Thu, 31 Jan 2019 18:26:32 +0100

On 2019-01-31 17:57, Andreas Enge wrote:
> Hello,
> 
> this bug has been open for quite a while, and the development of pplacer seems
> to be stalled, with the latest commit in May 2018, and no reaction whatsoever
> to Ben's bug report
>     https://github.com/matsen/pplacer/issues/354
> 
> How should we continue? Are people using the software, or should we maybe
> remove it?

Remove sounds good to me.

-- 
Cheers Swedebugia

Information forwarded to bug-guix <at> gnu.org:
bug#27462; Package guix. (Thu, 31 Jan 2019 17:31:01 GMT) Full text and rfc822 format available.

Message #25 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Julien Lepiller <julien <at> lepiller.eu>
To: bug-guix <at> gnu.org,Andreas Enge <andreas <at> enge.fr>,27462 <at> debbugs.gnu.org
Subject: Re: bug#27462: OCaml CVE-2015-8869
Date: Thu, 31 Jan 2019 18:30:27 +0100

Le 31 janvier 2019 18:21:13 GMT+01:00, Andreas Enge <andreas <at> enge.fr> a écrit :
>On Thu, Jan 31, 2019 at 05:57:03PM +0100, Andreas Enge wrote:
>> Are people using the software
>
>I suppose not, because one of its dependencies currently does not
>build:
>
>...
>phase `ocaml-findlib-environment' succeeded after 0.0 seconds
>starting phase `configure'
>build directory:
>"/tmp/guix-build-ocaml4.01-gsl-1.22.0.drv-0/gsl-1.22.0"
>running 'configure' with arguments ("-prefix"
>"/gnu/store/2f0wbxxpva9pnl4877hcr1k9gnawnbgc-ocaml4.01-gsl-1.22.0")
>Backtrace:
>           5 (primitive-load "/gnu/store/g4hk79x8kdpgnq87jhy6qjj9qa1…")
>In ice-9/eval.scm:
>   191:35  4 (_ _)
>In srfi/srfi-1.scm:
>  863:16  3 (every1 #<procedure 6ef100 at /gnu/store/vnbx61brdhy87…> …)
>In
>/gnu/store/vnbx61brdhy87fhvwhrgf24qdgk1r4ww-module-import/guix/build/gnu-build-system.scm:
>   799:28  2 (_ _)
>In
>/gnu/store/vnbx61brdhy87fhvwhrgf24qdgk1r4ww-module-import/guix/build/ocaml-build-system.scm:
>     55:8  1 (configure #:outputs _ #:configure-flags _ #:test-flags …)
>In
>/gnu/store/vnbx61brdhy87fhvwhrgf24qdgk1r4ww-module-import/guix/build/utils.scm:
>    616:6  0 (invoke _ . _)
>
>/gnu/store/vnbx61brdhy87fhvwhrgf24qdgk1r4ww-module-import/guix/build/utils.scm:616:6:
>In procedure invoke:
>Throw to key `srfi-34' with args `(#<condition &invoke-error [program:
>"./configure" arguments: ("-prefix"
>"/gnu/store/2f0wbxxpva9pnl4877hcr1k9gnawnbgc-ocaml4.01-gsl-1.22.0")
>exit-status: 127 term-signal: #f stop-signal: #f] 491fc0>)'.
>builder for
>`/gnu/store/diyv95rimr1dl0m5n1ms8yclb6b139lc-ocaml4.01-gsl-1.22.0.drv'
>failed with exit code 1
>build of
>/gnu/store/diyv95rimr1dl0m5n1ms8yclb6b139lc-ocaml4.01-gsl-1.22.0.drv
>failed
>...
>
>Shall we remove all the ocaml-4.01 universe? The next step would be
>4.02,
>it appears that the CVE is solved with 4.03 only:
>
>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8869
>   "OCaml before 4.03.0 does not properly handle..."
>
>Andreas

I still care about ocaml-4.02, but I could probably update it to ocaml-4.04 without breaking dependents.

Information forwarded to bug-guix <at> gnu.org:
bug#27462; Package guix. (Thu, 31 Jan 2019 17:31:02 GMT) Full text and rfc822 format available.

Information forwarded to bug-guix <at> gnu.org:
bug#27462; Package guix. (Tue, 19 Feb 2019 22:18:01 GMT) Full text and rfc822 format available.

Message #31 received at 27462 <at> debbugs.gnu.org (full text, mbox):

From: Andreas Enge <andreas <at> enge.fr>
To: Julien Lepiller <julien <at> lepiller.eu>
Cc: 27462 <at> debbugs.gnu.org, bug-guix <at> gnu.org
Subject: Re: bug#27462: OCaml CVE-2015-8869
Date: Tue, 19 Feb 2019 23:17:52 +0100

On Thu, Jan 31, 2019 at 06:30:27PM +0100, Julien Lepiller wrote:
> I still care about ocaml-4.02, but I could probably update it to ocaml-4.04 without breaking dependents.

Commits 2e125ece093ef842ca017ffb146cbc5fa33f2f75 and
4982c0c98deecea0d4f69f14ea28cab53b5f2123 remove ocaml <at> 4.01, pplacer and
all other dependent packages.

Is ocaml <at> 4.02 really needed? It would be nice to get rid of a package
with CVE.

Andreas

Information forwarded to bug-guix <at> gnu.org:
bug#27462; Package guix. (Tue, 19 Feb 2019 22:19:01 GMT) Full text and rfc822 format available.

Information forwarded to bug-guix <at> gnu.org:
bug#27462; Package guix. (Wed, 20 Feb 2019 08:40:02 GMT) Full text and rfc822 format available.

Message #37 received at 27462 <at> debbugs.gnu.org (full text, mbox):

From: Julien Lepiller <julien <at> lepiller.eu>
To: Andreas Enge <andreas <at> enge.fr>
Cc: 27462 <at> debbugs.gnu.org
Subject: Re: bug#27462: OCaml CVE-2015-8869
Date: Wed, 20 Feb 2019 09:39:20 +0100

Le 19 février 2019 23:17:52 GMT+01:00, Andreas Enge <andreas <at> enge.fr> a écrit :
>On Thu, Jan 31, 2019 at 06:30:27PM +0100, Julien Lepiller wrote:
>> I still care about ocaml-4.02, but I could probably update it to
>ocaml-4.04 without breaking dependents.
>
>Commits 2e125ece093ef842ca017ffb146cbc5fa33f2f75 and
>4982c0c98deecea0d4f69f14ea28cab53b5f2123 remove ocaml <at> 4.01, pplacer and
>all other dependent packages.
>
>Is ocaml <at> 4.02 really needed? It would be nice to get rid of a package
>with CVE.
>
>Andreas

At this point, we only need it for bap and dependencies. I've added dependencies for the latest bap commit that work with the latest ocaml, but they haven't released a new version yet. Can we wait a bit longer?

Another solution would be to jump to ocaml 4.05 and re-package another version of ~50 dependencies. I don't really want to do that…

Information forwarded to bug-guix <at> gnu.org:
bug#27462; Package guix. (Wed, 20 Feb 2019 11:28:01 GMT) Full text and rfc822 format available.

Message #40 received at 27462 <at> debbugs.gnu.org (full text, mbox):

From: Andreas Enge <andreas <at> enge.fr>
To: Julien Lepiller <julien <at> lepiller.eu>
Cc: 27462 <at> debbugs.gnu.org
Subject: Re: bug#27462: OCaml CVE-2015-8869
Date: Wed, 20 Feb 2019 12:27:47 +0100

On Wed, Feb 20, 2019 at 09:39:20AM +0100, Julien Lepiller wrote:
> At this point, we only need it for bap and dependencies. I've added dependencies for the latest bap commit that work with the latest ocaml, but they haven't released a new version yet. Can we wait a bit longer?
> 
> Another solution would be to jump to ocaml 4.05 and re-package another version of ~50 dependencies. I don't really want to do that…

I understand! Waiting a bit more should be okay given how long this bug
is already open... Or packaging a current snapshot of bap (with suitable
numbering as laid out, I think, in the documentation, so that users
will upgrade automatically from the current version over the snapshot to
the next released version).

Thanks,

Andreas

Reply sent to Julien Lepiller <julien <at> lepiller.eu>:
You have taken responsibility. (Fri, 05 Jul 2019 12:13:01 GMT) Full text and rfc822 format available.

Notification sent to Leo Famulari <leo <at> famulari.name>:
bug acknowledged by developer. (Fri, 05 Jul 2019 12:13:02 GMT) Full text and rfc822 format available.

Message #45 received at 27462-done <at> debbugs.gnu.org (full text, mbox):

From: Julien Lepiller <julien <at> lepiller.eu>
To: 27462-done <at> debbugs.gnu.org
Subject: OCaml CVE-2015-8869
Date: Fri, 05 Jul 2019 14:12:56 +0200

Ocaml-4.02 was removed a few months ago in c3634df2 but I forgot to close this bug report.

bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Sat, 03 Aug 2019 11:24:06 GMT) Full text and rfc822 format available.

This bug report was last modified 4 years and 258 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.

GNU bug report logs - #27462 OCaml CVE-2015-8869

GNU bug report logs - #27462
OCaml CVE-2015-8869