Bug 223039

Summary: lang/ocaml: generating insecure code before 4.03
Product: Ports & Packages Reporter: Phil Pennock <freebsd>
Component: Individual Port(s)Assignee: freebsd-ports-bugs (Nobody) <ports-bugs>
Status: Closed FIXED    
Severity: Affects Many People CC: cs, michipili
Priority: --- Flags: bugzilla: maintainer-feedback? (michipili)
Version: Latest   
Hardware: Any   
OS: Any   

Description Phil Pennock 2017-10-15 23:23:37 UTC 
This should be tracked as a security problem; per:

  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8869

the OCaml compiler before version 4.03 generates insecure code, mis-handling sign extensions resulting in remote code execution vulnerabilities in software written in OCaml, if it accepts network connections.

Example network-connection-accepting OCaml software in Ports:  security/sks

The current packaging is 4.02.3, not 4.03+, thus all OCaml code being compiled on FreeBSD using the compiler in Ports should be considered vulnerable, per my understanding of the CVE.

There is work in progress for one possible path forward in bug 218333; whether this security-issue bug ends up marked as a dup or prompts shorter-term fast work to update the compiler, is a matter for the Security & Ports folks of FreeBSD to decide, but I felt it worth having a tracking bug for the security implications rather than one possible remediation path.
Comment 1 commit-hook freebsd_committer freebsd_triage 2019-05-23 19:44:13 UTC 
A commit references this bug:

Author: cs
Date: Thu May 23 19:43:30 UTC 2019
New revision: 502353
URL: https://svnweb.freebsd.org/changeset/ports/502353

Log:
  Multiple vulnerabilities in OCaml

  PR:		223039
  Submitted by:	Phil Pennock <freebsd@phil.spodhuis.org>
  Security:	CVE-2015-8869

Changes:
  head/security/vuxml/vuln.xml