bug#27462: OCaml CVE-2015-8869

[Andreas Enge]

On Thu, Jan 31, 2019 at 05:57:03PM +0100, Andreas Enge wrote:
> Are people using the software

I suppose not, because one of its dependencies currently does not build:

...
phase `ocaml-findlib-environment' succeeded after 0.0 seconds
starting phase `configure'
build directory: "/tmp/guix-build-ocaml4.01-gsl-1.22.0.drv-0/gsl-1.22.0"
running 'configure' with arguments ("-prefix" 
"/gnu/store/2f0wbxxpva9pnl4877hcr1k9gnawnbgc-ocaml4.01-gsl-1.22.0")
Backtrace:
           5 (primitive-load "/gnu/store/g4hk79x8kdpgnq87jhy6qjj9qa1…")
In ice-9/eval.scm:
   191:35  4 (_ _)
In srfi/srfi-1.scm:
   863:16  3 (every1 #<procedure 6ef100 at /gnu/store/vnbx61brdhy87…> …)
In 
/gnu/store/vnbx61brdhy87fhvwhrgf24qdgk1r4ww-module-import/guix/build/gnu-build-system.scm:
   799:28  2 (_ _)
In 
/gnu/store/vnbx61brdhy87fhvwhrgf24qdgk1r4ww-module-import/guix/build/ocaml-build-system.scm:
     55:8  1 (configure #:outputs _ #:configure-flags _ #:test-flags …)
In 
/gnu/store/vnbx61brdhy87fhvwhrgf24qdgk1r4ww-module-import/guix/build/utils.scm:
    616:6  0 (invoke _ . _)

/gnu/store/vnbx61brdhy87fhvwhrgf24qdgk1r4ww-module-import/guix/build/utils.scm:616:6:
 In procedure invoke:
Throw to key `srfi-34' with args `(#<condition &invoke-error [program: 
"./configure" arguments: ("-prefix" 
"/gnu/store/2f0wbxxpva9pnl4877hcr1k9gnawnbgc-ocaml4.01-gsl-1.22.0") 
exit-status: 127 term-signal: #f stop-signal: #f] 491fc0>)'.
builder for 
`/gnu/store/diyv95rimr1dl0m5n1ms8yclb6b139lc-ocaml4.01-gsl-1.22.0.drv' failed 
with exit code 1
build of /gnu/store/diyv95rimr1dl0m5n1ms8yclb6b139lc-ocaml4.01-gsl-1.22.0.drv 
failed
...

Shall we remove all the ocaml-4.01 universe? The next step would be 4.02,
it appears that the CVE is solved with 4.03 only:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8869
   "OCaml before 4.03.0 does not properly handle..."

Andreas