ocaml security update

ID CESA-2016:1296
Type centos
Reporter CentOS Project
Modified 2016-06-23T23:41:43


CentOS Errata and Security Advisory CESA-2016:1296

OCaml is a high-level, strongly-typed, functional, and object-oriented programming language from the ML family of languages. The ocaml packages contain two batch compilers (a fast bytecode compiler and an optimizing native-code compiler), an interactive top level system, parsing tools (Lex, Yacc, Camlp4), a replay debugger, a documentation generator, and a comprehensive library.

Security Fix(es):

  • OCaml versions 4.02.3 and earlier have a runtime bug that, on 64-bit platforms, causes size arguments to internal memmove calls to be sign-extended from 32- to 64-bits before being passed to the memmove function. This leads to arguments between 2GiB and 4GiB being interpreted as larger than they are (specifically, a bit below 2^64), causing a buffer overflow. Further, arguments between 4GiB and 6GiB are interpreted as 4GiB smaller than they should be, causing a possible information leak. (CVE-2015-8869)

Merged security bulletin from advisories: http://lists.centos.org/pipermail/centos-announce/2016-June/033971.html

Affected packages: ocaml ocaml-camlp4 ocaml-camlp4-devel ocaml-compiler-libs ocaml-docs ocaml-emacs ocaml-labltk ocaml-labltk-devel ocaml-ocamldoc ocaml-runtime ocaml-source ocaml-x11

Upstream details at: https://rhn.redhat.com/errata/RHSA-2016-1296.html