[Secure-testing-team] Bug#865712: ocaml: CVE-2017-9772: local privilege escalation issue with ocaml binaries
Salvatore Bonaccorso
carnil at debian.org
Sat Jun 24 03:29:40 UTC 2017
Source: ocaml
Version: 4.04.0-2
Severity: grave
Tags: security upstream
Justification: user security hole
Forwarded: https://caml.inria.fr/mantis/view.php?id=7557
Hi,
the following vulnerability was published for ocaml.
CVE-2017-9772[0]:
| Insufficient sanitisation in the OCaml compiler versions 4.04.0 and
| 4.04.1 allows external code to be executed with raised privilege in
| binaries marked as setuid, by setting the CAML_CPLUGINS,
| CAML_NATIVE_CPLUGINS, or CAML_BYTE_CPLUGINS environment variable.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-9772
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9772
[1] https://caml.inria.fr/mantis/view.php?id=7557
Regards,
Salvatore
More information about the Secure-testing-team
mailing list