The OCaml standard library in version 4.06.00 has an integer overflow vulnerability in byterun/bigarray.c:caml_ba_deserialize() when handling serialized (marshalled) data. A remote attacker could exploit this to cause a denial of service or possible code execution by supplying a crafted serialized object. Upstream Issue: https://caml.inria.fr/mantis/view.php?id=7765
Created ocaml tracking bugs for this issue: Affects: fedora-all [bug 1565471]
I think the impact of this should be "low". My reasoning is that the Marshal interface is unsafe and should not be used when sending data to untrusted end points. The documentation is quite explicit about this. It is possible to crash the remote end point in multiple ways, eg: let m = Marshal.to_string (1, 2) [] let x : bool * string = Marshal.from_string m 0 let () = Printf.printf "%b * %s" (fst x) (snd x) $ ocamlopt crash.ml -o crash $ ./crash Segmentation fault (core dumped) OCaml provides ways to serialize data safely but Marshal is a low-level interface which doesn't do that. Of course I will fix this problem anyway in Fedora & RHEL.
They're still working on a fix upstream, but the latest proposal is https://github.com/ocaml/ocaml/pull/1718