[cwn] Attn: Development Editor, Latest OCaml Weekly News

Alan Schmitt alan.schmitt at polytechnique.org
Tue Jun 27 05:43:59 PDT 2017 

Hello,

Here is the latest OCaml Weekly News, for the week of June 20 to 27, 2017.

1) {Uucd,Uucp,Uunf,Uuseg} 10.0.0
2) OCaml release 4.04.2
3) Camlp5 7.00 compatible with OCaml 4.04.2
4) From the OCaml discourse
5) Ocaml Github Pull Requests
6) Other OCaml News

========================================================================
1) {Uucd,Uucp,Uunf,Uuseg} 10.0.0
Archive: <https://sympa.inria.fr/sympa/arc/caml-list/2017-06/msg00087.html>
------------------------------------------------------------------------
** Daniel Bünzli announced:

Unicode 10.0.0 was released yesterday. It adds 8518 new characters to the
standard including the essential DUMPLING (U+1F95F) character. See [0] for the
more details about all the additions.

Accordingly the libraries mentioned at the end of this email had to be updated,
consult the individual release notes for details. These libraries explicitly
support a particular version of the standard, hence their versioning scheme has
been changed so that the *major* version number matches the major version of the
Unicode version they support.

A few remarks about the releases:

1. Both Uucd and Uucp are incompatible releases since new script and block
enumerants had to be added.

2. Both Uuseg and Uunf are compatible releases with updated data to support the
new characters.

3. Uucp now provides a new cli tool `ucharinfo` which allows you to query
character information (e.g. name, escaped UTF-8 byte sequence, etc.) from the
cli, see `ucharinfo --help` for more information.

4. Users of Uunf are urged to upgrade to the latest version since to my dismay
the amazing fuzzer Stephen Dolan found via crowbar [1] bugs in my (previously
terribly imperative) implementation of the canonical composition algorithm --
this may have affected users of normal forms NFC, NFKC.

If Unicode still puzzles you, remember that Uucp's documentation has an absolute
minimal Unicode introduction [2] and a few biased tips [3] to handle Unicode in
OCaml.

Best & happy ??,

Daniel

[0] <http://blog.unicode.org/2017/06/announcing-unicode-standard-version-100.html>
[1] <https://github.com/stedolan/crowbar>
[2] <http://erratique.ch/software/uucp/doc/Uucp.html#uminimal>
[3] <http://erratique.ch/software/uucp/doc/Uucp.html#tips>

# Uucd 10.0.0 Unicode character database decoder for OCaml.
<http://erratique.ch/software/uucd>

# Uucp 10.0.0 Unicode character properties for OCaml.
<http://erratique.ch/software/uucp>

# Uunf 10.0.0 Unicode text normalization for OCaml.
<http://erratique.ch/software/uunf>

# Uuseg 10.0.0 Unicode text segmentation for OCaml.
<http://erratique.ch/software/uuseg>
      
========================================================================
2) OCaml release 4.04.2
Archive: <https://sympa.inria.fr/sympa/arc/caml-list/2017-06/msg00094.html>
------------------------------------------------------------------------
** Damien Doligez announced:

We have the pleasure of celebrating the birthday of Alan Turing by
announcing the release of OCaml version 4.04.2.

This minor release fixes the security issue described in
CVE-2017-9772 (included below).

All users should eventually upgrade to 4.04.2 from 4.04.0 and 4.04.1.
Any user who produces setuid programs with OCaml should read the CVE
and upgrade immediately.

It is available as an OPAM switch, or as a source download here:
  <https://caml.inria.fr/pub/distrib/ocaml-4.04/>
  <https://github.com/ocaml/ocaml/archive/4.04.2.tar.gz>

Happy hacking,

-- Damien Doligez for the OCaml team.


OCaml 4.04.2 (23 Jun 2017):
---------------------------

### Security fix:

- PR#7557: Local privilege escalation issue with ocaml binaries.
  (Damien Doligez, report by Eric Milliken, review by Xavier Leroy)

--------------------------------------------------------------------

CVE-2017-9772: Privilege escalation in OCaml runtime for SUID executables

The environment variables CAML_CPLUGINS, CAML_NATIVE_CPLUGINS, and
CAML_BYTE_CPLUGINS can be used to auto-load code into any ocamlopt-compiled
executable or any ocamlc-compiled executable in ?custom runtime mode?.
This can lead to privilege escalation if the executable is marked setuid.

Vulnerable versions: OCaml 4.04.0 and 4.04.1

Workarounds:
   - Upgrade to OCaml 4.04.2 or higher.
or - Compile the OCaml distribution with the "-no-cplugins" configure option.
or - OPAM users can "opam update && opam switch recompile 4.04.1", as
     the repository has had backported patches applied.

Impact: This only affects binaries that have been installed on Unix-like
operating systems (including Linux and macOS) with the setuid bit set.
However, in that situation, any user who execute the program gains all
the privileges of the owner of the executable (meaning that root-owned
setuid executables provide root access).

Fix: OCaml 4.04.2 mitigates this by modifying Sys.getenv and Unix.getenv
to raise an exception if the process has ever had elevated privileges.
The OCaml runtime has also been modified to use this function for
retrieving all of the runtime environment variables which could potentially
cause files to be accessed or modified.  The older behaviour is available
in Sys.unsafe_getenv for applications that require strict compatibility.

Credits: This was originally reported by Eric Milliken on the OCaml Mantis
bug tracker. <https://caml.inria.fr/mantis/view.php?id=7557>

References: see CVE-2017-9779 for a lesser vulnerability in older versions.

CVSS v2 Vector:
AV:L/AC:L/Au:S/C:C/I:C/A:N/E:F/RL:OF/RC:C/CDP:H/TD:L/CR:H/IR:H/AR:L
CWE ID: 114
      
========================================================================
3) Camlp5 7.00 compatible with OCaml 4.04.2
Archive: <https://sympa.inria.fr/sympa/arc/caml-list/2017-06/msg00107.html>
------------------------------------------------------------------------
** Daniel de Rauglaudre announced:

New release 7.00 of Camlp5. Compatible with all OCaml versions,
latest OCaml version 4.04.2 included.

Main improvement: ability to use limited and full backtracking
algorithm in extensible grammars.

Home page, including downloading and documentation at:
  <https://camlp5.github.io/>
      
========================================================================
4) From the OCaml discourse
------------------------------------------------------------------------
** The editor compiled this list:

Here are some links to messages at <http://discuss.ocaml.org> that may
be of interest to the readers.

- Thomas Gazagnaire talks about "MirageOS and Docker talk in Paris (28 June)"
  <https://discuss.ocaml.org/t/mirageos-and-docker-talk-in-paris-28-june/450/1>

- Ryan Slade talks about "nsq-ocaml"
  <https://discuss.ocaml.org/t/ann-nsq-ocaml/467/1>

- Richard Mortier talks about "dommage, Dockerising the Mirage CLI"
  <https://discuss.ocaml.org/t/ann-dommage-dockerising-the-mirage-cli/470/1>

- octachron talks about "harmatia, "prettified" compiler error message plugin"
  <https://discuss.ocaml.org/t/ann-harmatia-prettified-compiler-error-message-plugin/471/1>
      
========================================================================
5) Ocaml Github Pull Requests
------------------------------------------------------------------------
** Gabriel Scherer and the editor compiled this list:

Here is a sneak peek at some potential future features of the Ocaml
compiler, discussed by their implementers in these Github Pull Requests.

- Fixing the limitations on destructive substitutions
  <https://github.com/ocaml/ocaml/pull/792>
- Unix.symlink: support forward slashes in symlink targets under Windows
  <https://github.com/ocaml/ocaml/pull/1211>
- expose the origin of universal type variable in error messages
  <https://github.com/ocaml/ocaml/pull/1212>
      
========================================================================
6) Other OCaml News
------------------------------------------------------------------------
** From the ocamlcore planet blog:

Here are links from many OCaml blogs aggregated at OCaml Planet,
<http://ocaml.org/community/planet/>.

Intel Hyper-Threading Bug Uncovered by OCaml Developers
 <https://ocamllabs.github.io//general/2017/06/26/IntelHyperThreadBug.html>

OCaml 4.04.2 released
 <http://caml.inria.fr/pub/distrib/ocaml-4.04/>

Unicode 10.0.0 refresh
 <http://erratique.ch/software>
      
========================================================================
Old cwn
------------------------------------------------------------------------

If you happen to miss a CWN, you can send me a message
(alan.schmitt at polytechnique.org) and I'll mail it to you, or go take a look at
the archive (<http://alan.petitepomme.net/cwn/>) or the RSS feed of the
archives (<http://alan.petitepomme.net/cwn/cwn.rss>). If you also wish
to receive it every week by mail, you may subscribe online at
<http://lists.idyll.org/listinfo/caml-news-weekly/> .

========================================================================

-- 
OpenPGP Key ID : 040D0A3B4ED2E5C7
Monthly Athmospheric CO₂, Mauna Loa Obs. 2017-05: 409.65, 2016-05: 407.70
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 487 bytes
Desc: not available
URL: <http://lists.idyll.org/pipermail/caml-news-weekly/attachments/20170627/a1b2e285/attachment.pgp>

More information about the caml-news-weekly mailing list