PublicDateAtUSN: 2016-06-13
Candidate: CVE-2015-8869
PublicDate: 2016-06-13 19:59:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8869
 http://www.openwall.com/lists/oss-security/2016/04/29/1
 https://ubuntu.com/security/notices/USN-3437-1
Description:
 OCaml before 4.03.0 does not properly handle sign extensions, which allows
 remote attackers to conduct buffer overflow attacks or obtain sensitive
 information as demonstrated by a long string to the String.copy function.
Ubuntu-Description:
 It was discovered that OCaml mishandled sign extensions. A remote attacker
 could use this vulnerability to steal sensitive information, cause a denial of
 service (crash), or possibly execute arbitrary code.
Notes:
 msalvatore> binaries built with ocamlopt will need to be rebuilt after a system upgrade
Bugs:
 http://caml.inria.fr/mantis/view.php?id=7003
Priority: medium
Discovered-by: Radek Micek
Assigned-to: mdeslaur
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H [9.1 CRITICAL]

Patches_ocaml:
 upstream: https://github.com/ocaml/ocaml/commit/659615c7b100a89eafe6253e7a5b9d84d0e8df74
upstream_ocaml: released (4.02.3-9, 4.03.0)
precise_ocaml: ignored (reached end-of-life)
precise/esm_ocaml: DNE (precise was needed)
trusty_ocaml: released (4.01.0-3ubuntu3.1)
trusty/esm_ocaml: released (4.01.0-3ubuntu3.1)
vivid/stable-phone-overlay_ocaml: DNE
vivid/ubuntu-core_ocaml: DNE
wily_ocaml: ignored (reached end-of-life)
xenial_ocaml: ignored (end of standard support, was needed)
yakkety_ocaml: ignored (reached end-of-life)
zesty_ocaml: ignored (reached end-of-life)
artful_ocaml: ignored (reached end-of-life)
bionic_ocaml: not-affected (4.02.3-9)
cosmic_ocaml: not-affected (4.02.3-9)
disco_ocaml: not-affected (4.02.3-9)
eoan_ocaml: not-affected (4.02.3-9)
focal_ocaml: not-affected (4.02.3-9)
groovy_ocaml: not-affected (4.02.3-9)
hirsute_ocaml: not-affected (4.02.3-9)
impish_ocaml: not-affected (4.02.3-9)
jammy_ocaml: not-affected (4.02.3-9)
devel_ocaml: not-affected (4.02.3-9)