I'm fairly sure we don't have any setuid binaries written in OCaml. However I've no idea how we would go about mechanically checking this, hence why I'm asking here. OCaml 4.04.2 (23 Jun 2017): --------------------------- ### Security fix: - PR#7557: Local privilege escalation issue with ocaml binaries. (Damien Doligez, report by Eric Milliken, review by Xavier Leroy) CVE-2017-9772: Privilege escalation in OCaml runtime for SUID executables The environment variables CAML_CPLUGINS, CAML_NATIVE_CPLUGINS, and CAML_BYTE_CPLUGINS can be used to auto-load code into any ocamlopt-compiled executable or any ocamlc-compiled executable in ‘custom runtime mode’. This can lead to privilege escalation if the executable is marked setuid. Vulnerable versions: OCaml 4.04.0 and 4.04.1 Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com virt-df lists disk usage of guests without needing to install any software inside the virtual machine. Supports Linux and Windows. http://people.redhat.com/~rjones/virt-df/ _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
