Debian Bug report logs -
#659149
CVE-2012-0839: Hash collision DoS
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian OCaml Maintainers <debian-ocaml-maint@lists.debian.org>:
Bug#659149; Package ocaml.
(Wed, 08 Feb 2012 17:48:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian OCaml Maintainers <debian-ocaml-maint@lists.debian.org>.
(Wed, 08 Feb 2012 17:48:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: ocaml
Severity: important
Tags: security
Ocaml is affected by the recently discovered class of hash collisions,
see http://www.mail-archive.com/caml-list@inria.fr/msg01477.html
Apparently there's no upstream fix yet.
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian OCaml Maintainers <debian-ocaml-maint@lists.debian.org>:
Bug#659149; Package ocaml.
(Wed, 08 Feb 2012 18:03:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Mehdi Dogguy <mehdi@dogguy.org>:
Extra info received and forwarded to list. Copy sent to Debian OCaml Maintainers <debian-ocaml-maint@lists.debian.org>.
(Wed, 08 Feb 2012 18:03:05 GMT) (full text, mbox, link).
Message #10 received at 659149@bugs.debian.org (full text, mbox, reply):
On 08/02/12 18:44, Moritz Muehlenhoff wrote:
> Package: ocaml
> Severity: important
> Tags: security
>
> Ocaml is affected by the recently discovered class of hash collisions,
> see http://www.mail-archive.com/caml-list@inria.fr/msg01477.html
>
> Apparently there's no upstream fix yet.
>
As far as I understand if, upstream implemented a fix that will be
released in OCaml 3.13. It will be to the programmer to choose a seed
parameter to diversify the hash function.
See http://www.mail-archive.com/caml-list@inria.fr/msg01500.html in the
same thread.
Regards,
--
Mehdi
Added tag(s) fixed-upstream.
Request was from bts-link-upstream@lists.alioth.debian.org
to control@bugs.debian.org.
(Thu, 19 Apr 2012 16:40:09 GMT) (full text, mbox, link).
Reply sent
to Stéphane Glondu <glondu@debian.org>:
You have taken responsibility.
(Thu, 21 Jun 2012 15:39:20 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Thu, 21 Jun 2012 15:39:21 GMT) (full text, mbox, link).
Message #19 received at 659149-close@bugs.debian.org (full text, mbox, reply):
Source: ocaml
Source-Version: 4.00.0~beta2-2
We believe that the bug you reported is fixed in the latest version of
ocaml, which is due to be installed in the Debian FTP archive:
camlp4-extra_4.00.0~beta2-2_amd64.deb
to main/o/ocaml/camlp4-extra_4.00.0~beta2-2_amd64.deb
camlp4_4.00.0~beta2-2_amd64.deb
to main/o/ocaml/camlp4_4.00.0~beta2-2_amd64.deb
ocaml-base-nox_4.00.0~beta2-2_amd64.deb
to main/o/ocaml/ocaml-base-nox_4.00.0~beta2-2_amd64.deb
ocaml-base_4.00.0~beta2-2_amd64.deb
to main/o/ocaml/ocaml-base_4.00.0~beta2-2_amd64.deb
ocaml-compiler-libs_4.00.0~beta2-2_amd64.deb
to main/o/ocaml/ocaml-compiler-libs_4.00.0~beta2-2_amd64.deb
ocaml-interp_4.00.0~beta2-2_amd64.deb
to main/o/ocaml/ocaml-interp_4.00.0~beta2-2_amd64.deb
ocaml-mode_4.00.0~beta2-2_all.deb
to main/o/ocaml/ocaml-mode_4.00.0~beta2-2_all.deb
ocaml-native-compilers_4.00.0~beta2-2_amd64.deb
to main/o/ocaml/ocaml-native-compilers_4.00.0~beta2-2_amd64.deb
ocaml-nox_4.00.0~beta2-2_amd64.deb
to main/o/ocaml/ocaml-nox_4.00.0~beta2-2_amd64.deb
ocaml-source_4.00.0~beta2-2_all.deb
to main/o/ocaml/ocaml-source_4.00.0~beta2-2_all.deb
ocaml_4.00.0~beta2-2.debian.tar.gz
to main/o/ocaml/ocaml_4.00.0~beta2-2.debian.tar.gz
ocaml_4.00.0~beta2-2.dsc
to main/o/ocaml/ocaml_4.00.0~beta2-2.dsc
ocaml_4.00.0~beta2-2_amd64.deb
to main/o/ocaml/ocaml_4.00.0~beta2-2_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 659149@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Stéphane Glondu <glondu@debian.org> (supplier of updated ocaml package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 21 Jun 2012 16:42:25 +0200
Source: ocaml
Binary: ocaml-nox camlp4 camlp4-extra ocaml ocaml-base-nox ocaml-base ocaml-native-compilers ocaml-source ocaml-interp ocaml-compiler-libs ocaml-mode
Architecture: source amd64 all
Version: 4.00.0~beta2-2
Distribution: experimental
Urgency: low
Maintainer: Debian OCaml Maintainers <debian-ocaml-maint@lists.debian.org>
Changed-By: Stéphane Glondu <glondu@debian.org>
Description:
camlp4 - Pre Processor Pretty Printer for OCaml
camlp4-extra - Pre Processor Pretty Printer for OCaml - extras
ocaml - ML language implementation with a class-based object system
ocaml-base - Runtime system for OCaml bytecode executables
ocaml-base-nox - Runtime system for OCaml bytecode executables (no X)
ocaml-compiler-libs - OCaml interpreter and standard libraries
ocaml-interp - OCaml interactive interpreter and standard libraries
ocaml-mode - major mode for editing Objective Caml in Emacs
ocaml-native-compilers - Native code compilers of the OCaml suite (the .opt ones)
ocaml-nox - ML implementation with a class-based object system (no X)
ocaml-source - Sources for Objective Caml
Closes: 659149
Changes:
ocaml (4.00.0~beta2-2) experimental; urgency=low
.
* Fix natdynlink detection on sparc
* Cherry-pick an upstream fix in native compilation on powerpc
* Fixes in the test suite:
- use legacy -custom for lib-marshal test
- some tests were still triggering ocamlopt even on bytecode
- fix asmcomp tests on powerpc
- fix symbol mangling in asmcomp tests on kfreebsd-i386 and sparc
* Bump Standards-Version to 3.9.3
.
ocaml (4.00.0~beta2-1) experimental; urgency=low
.
* New upstream beta release
- new "R" parameter in OCAMLRUNPARAMS to enable automatic
randomization of the generic hash function (Closes: #659149,
CVE-2012-0839)
- the layout of the ocaml-compiler-libs binary package has changed
significantly as a result of upstream installing +compiler-libs by
itself; toplevel libraries have been moved there
* Change the layout of the ocaml-source binary package
* Merge changes from version 3.12.1-3
Checksums-Sha1:
688fa0848ba52b94777746b5d259cdef248d00ff 2687 ocaml_4.00.0~beta2-2.dsc
17ad200f081bb2c51596f59c93ddff77b11f8ad2 55529 ocaml_4.00.0~beta2-2.debian.tar.gz
3518bfbef52e120ccbf59536a578db664c8487af 8386864 ocaml-nox_4.00.0~beta2-2_amd64.deb
a6996620d810cb3b8c2239d01c37b95d782139e0 21449844 camlp4_4.00.0~beta2-2_amd64.deb
a4bde7f812b4f9865aa7855f56d24bd120ace6ea 21240602 camlp4-extra_4.00.0~beta2-2_amd64.deb
79150138e17dd2831daa1a9567fa7bf93bdbfaa7 2414232 ocaml_4.00.0~beta2-2_amd64.deb
ae598a0949cb94226877eb938ad3249bfd2be8d2 720344 ocaml-base-nox_4.00.0~beta2-2_amd64.deb
dd1f869967dfdf1b08762942ceba71fef80cd9c3 141928 ocaml-base_4.00.0~beta2-2_amd64.deb
70b8afb71986d6b13bcaf3f3c7f80ad2d3a6a180 4262996 ocaml-native-compilers_4.00.0~beta2-2_amd64.deb
60f6b614284265b3c534b6c9efedc381ca1034f4 2816960 ocaml-source_4.00.0~beta2-2_all.deb
d48bddbc05c944cb245257de26b08766de6ab1b6 354830 ocaml-interp_4.00.0~beta2-2_amd64.deb
d5873a6d8d971f008235ff0effcea1b685bd3ecc 1832174 ocaml-compiler-libs_4.00.0~beta2-2_amd64.deb
8820bb22efc43f8ef49c910365a8777781d2a611 126240 ocaml-mode_4.00.0~beta2-2_all.deb
Checksums-Sha256:
51640ff464498aed8ab66d7bd221159774d32b3271b50a46b7632c05e1e70ff5 2687 ocaml_4.00.0~beta2-2.dsc
8f5834708acf0a0cd74b47e9f582e9fcbd626bd016f1cd30779d3afe3424d6ad 55529 ocaml_4.00.0~beta2-2.debian.tar.gz
9831222b673096af788f8437c9074929b5c05540253d81655e41efde82f6e434 8386864 ocaml-nox_4.00.0~beta2-2_amd64.deb
eceac00885d91ee07c52eb80a0c6d36a2638ad5b394d7755ce739ff3f375da50 21449844 camlp4_4.00.0~beta2-2_amd64.deb
c97e67223b9ce46fdd194cfa49f7beff8d3ba79306bc873b9559058e24a69050 21240602 camlp4-extra_4.00.0~beta2-2_amd64.deb
b4d784d4e1ed7765963d73df103c7c9b9a0c59f5d95f265908d3464a934e8cbc 2414232 ocaml_4.00.0~beta2-2_amd64.deb
0f586bc2862a004d21726341773540fae48c60be3af26ec5d34c7ba6d0a6aaea 720344 ocaml-base-nox_4.00.0~beta2-2_amd64.deb
85b78f640558b51503e7f543672151931bc4cf81aeee0ee4de17f0dde597dbab 141928 ocaml-base_4.00.0~beta2-2_amd64.deb
b9408c50725c50c0fc013abb294f805784af07464f1e12f006ceeece4f987cd7 4262996 ocaml-native-compilers_4.00.0~beta2-2_amd64.deb
1a1da1a5ed4f44e3a774d4918f5a1639336235c626aed8091e3232b2bfeb96c4 2816960 ocaml-source_4.00.0~beta2-2_all.deb
5751b23eb5659d6004ab3cd69308c26446efe339c3c2d75e24f388213e84c1b6 354830 ocaml-interp_4.00.0~beta2-2_amd64.deb
9bad57d7d00802eeae144ec03e6ce580fd073c1a2d9741e802a6c7111e7263ba 1832174 ocaml-compiler-libs_4.00.0~beta2-2_amd64.deb
22b1254861369188c6a91b54a304d7eae0d757f9edf5e72d1e51f49604e50bbe 126240 ocaml-mode_4.00.0~beta2-2_all.deb
Files:
c61257d32d158ba0e897f4bbb73866eb 2687 ocaml optional ocaml_4.00.0~beta2-2.dsc
63242ea65a35868bbcc914c447ce0f78 55529 ocaml optional ocaml_4.00.0~beta2-2.debian.tar.gz
92ba4a93ea72938d3a90aeca762d1a9b 8386864 ocaml optional ocaml-nox_4.00.0~beta2-2_amd64.deb
68bef5c0a830646e005cd4adc17a503c 21449844 ocaml optional camlp4_4.00.0~beta2-2_amd64.deb
56657d097518480fd9c2a971e0a14a53 21240602 ocaml optional camlp4-extra_4.00.0~beta2-2_amd64.deb
bb0cdf8cf4f181b604dacdfbef00a796 2414232 ocaml optional ocaml_4.00.0~beta2-2_amd64.deb
a86d96180eb492406b5464d4b5366ffb 720344 ocaml optional ocaml-base-nox_4.00.0~beta2-2_amd64.deb
2542798005a4d5f1fe55cf98e220d85a 141928 ocaml optional ocaml-base_4.00.0~beta2-2_amd64.deb
ad0cddd1f7817d59c1bb770f96b8e723 4262996 ocaml optional ocaml-native-compilers_4.00.0~beta2-2_amd64.deb
2241b2f096bf72c31e609be02535707c 2816960 ocaml optional ocaml-source_4.00.0~beta2-2_all.deb
3e46915e6dd3340a7a95f4dde4821723 354830 ocaml optional ocaml-interp_4.00.0~beta2-2_amd64.deb
a32b7e17e59e2cae26935546ffd9e890 1832174 ocaml optional ocaml-compiler-libs_4.00.0~beta2-2_amd64.deb
c11c9c9efd0b73965ed5887cc2dad327 126240 ocaml optional ocaml-mode_4.00.0~beta2-2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQIcBAEBCgAGBQJP4ztGAAoJEHhT2k1JiBrT5s8P+wamkP66PmEqFdip9JMQNg4b
lh4cYABXxsozqXeZ2kvsvP/5vPG4Zzp+6ZODOwy0OMyQZUljQg52bdCk6L6icJf/
g0aOznTrcT+hFN/nNulvSDT3Bwa2C8FSUAFRNZjVVih4St3pe1SVe30baBgYe/li
rVoohUXRb85MgvC1tMmKR5qZj90RGxiPyHBSFwiKJQhjjAxJMKw6Y3yFBzU2ngKc
+5rgPLlYJWTby0psaieC8PQqm/Y3aVIGGd7W+0wSuzWPyng/zGfab9aSj+7DjAtm
k/SNdmKYxAmn63Dy/ovl4Ir6yGsXYSESosWzC33J798ZyfWizGBkNxyqJv5uPvM4
cMeOW5cZobsQfH+8on/fNoWhZMZJivHIZliGKnxilIglpOaj8j29kpd5Kn+MRW7E
LrVMFF0gcRq+zUloaSNcnoud+e+H72H3RxqPP2pvQcmxCaVBvXiFoVwpLJ3KmoyH
sBy/pSeVTOV0/yUPO4oej2CHFgaPdN7c8rpqutf43udMRutnXqVnHv5yJYe/phf7
S+h686vRXBy21ayiBbF0dTGBgbWTIPALBUdPARAj+SUXkl8UgbwwSBg2RJM1zPHI
vcHaUTRtSsu87tWfd1OX1VjyyjlJ8AtbjQRdtqNUxNewp12tD7zpD3zXHMmLrwC0
Oxb1S0VyAUKn4PsflWHo
=qNEo
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian OCaml Maintainers <debian-ocaml-maint@lists.debian.org>:
Bug#659149; Package ocaml.
(Thu, 17 Jan 2013 15:36:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Jonathan Wiltshire <jmw@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian OCaml Maintainers <debian-ocaml-maint@lists.debian.org>.
(Thu, 17 Jan 2013 15:36:08 GMT) (full text, mbox, link).
Message #24 received at 659149@bugs.debian.org (full text, mbox, reply):
Package: ocaml
Dear maintainer,
Recently you fixed one or more security problems and as a result you closed
this bug. These problems were not serious enough for a Debian Security
Advisory, so they are now on my radar for fixing in the following suites
through point releases:
squeeze (6.0.7) - use target "stable"
Please prepare a minimal-changes upload targetting each of these suites,
and submit a debdiff to the Release Team [0] for consideration. They will
offer additional guidance or instruct you to upload your package.
I will happily assist you at any stage if the patch is straightforward and
you need help. Please keep me in CC at all times so I can
track [1] the progress of this request.
For details of this process and the rationale, please see the original
announcement [2] and my blog post [3].
0: debian-release@lists.debian.org
1: http://prsc.debian.net/tracker/659149/
2: <201101232332.11736.thijs@debian.org>
3: http://deb.li/prsc
Thanks,
with his security hat on:
--
Jonathan Wiltshire jmw@debian.org
Debian Developer http://people.debian.org/~jmw
4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian OCaml Maintainers <debian-ocaml-maint@lists.debian.org>:
Bug#659149; Package ocaml.
(Thu, 17 Jan 2013 18:39:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Stéphane Glondu <glondu@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian OCaml Maintainers <debian-ocaml-maint@lists.debian.org>.
(Thu, 17 Jan 2013 18:39:03 GMT) (full text, mbox, link).
Message #29 received at 659149@bugs.debian.org (full text, mbox, reply):
Le 17/01/2013 12:42, Jonathan Wiltshire a écrit :
> Recently you fixed one or more security problems and as a result you closed
> this bug. These problems were not serious enough for a Debian Security
> Advisory, so they are now on my radar for fixing in the following suites
> through point releases: [...]
Unfortunately, this "fix" is part of a new major release and cannot be
backported as it is. It doesn't look worth the trouble to design a new
fix for squeeze and wheezy.
Cheers,
--
Stéphane
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian OCaml Maintainers <debian-ocaml-maint@lists.debian.org>:
Bug#659149; Package ocaml.
(Fri, 01 Feb 2013 16:27:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Jonathan Wiltshire <jmw@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian OCaml Maintainers <debian-ocaml-maint@lists.debian.org>.
(Fri, 01 Feb 2013 16:27:03 GMT) (full text, mbox, link).
Message #34 received at 659149@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Thu, Jan 17, 2013 at 07:29:25PM +0100, Stéphane Glondu wrote:
> Le 17/01/2013 12:42, Jonathan Wiltshire a écrit :
> > Recently you fixed one or more security problems and as a result you closed
> > this bug. These problems were not serious enough for a Debian Security
> > Advisory, so they are now on my radar for fixing in the following suites
> > through point releases: [...]
>
> Unfortunately, this "fix" is part of a new major release and cannot be
> backported as it is. It doesn't look worth the trouble to design a new
> fix for squeeze and wheezy.
Thanks, noted.
--
Jonathan Wiltshire jmw@debian.org
Debian Developer http://people.debian.org/~jmw
4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
<directhex> i have six years of solaris sysadmin experience, from
8->10. i am well qualified to say it is made from bonghits
layered on top of bonghits
[signature.asc (application/pgp-signature, inline)]
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 09 Jan 2014 07:33:26 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:56:21 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon