openSUSE-SU-2026:20368-1

Опубликовано: 17 мар. 2026

Источник: suse-cvrf

Описание

Security update for ocaml

This update for ocaml fixes the following issues:

CVE-2026-28364: missing bounds validation in readblock() can lead to arbitrary code execution (bsc#1258992)

Список пакетов

openSUSE Leap 16.0

ocaml-4.14.2-160000.4.1

ocaml-compiler-libs-4.14.2-160000.4.1

ocaml-compiler-libs-devel-4.14.2-160000.4.1

ocaml-ocamldoc-4.14.2-160000.4.1

ocaml-runtime-4.14.2-160000.4.1

ocaml-source-4.14.2-160000.4.1

Ссылки

https://www.suse.com/support/security/rating/
SUSE Security Ratings
https://bugzilla.suse.com/1258992
SUSE Bug 1258992
https://www.suse.com/security/cve/CVE-2026-28364/
SUSE CVE CVE-2026-28364 page

Описание

In OCaml before 4.14.3 and 5.x before 5.4.1, a buffer over-read in Marshal deserialization (runtime/intern.c) enables remote code execution through a multi-phase attack chain. The vulnerability stems from missing bounds validation in the readblock() function, which performs unbounded memcpy() operations using attacker-controlled lengths from crafted Marshal data.

Затронутые продукты

openSUSE Leap 16.0:ocaml-4.14.2-160000.4.1

openSUSE Leap 16.0:ocaml-compiler-libs-4.14.2-160000.4.1

openSUSE Leap 16.0:ocaml-compiler-libs-devel-4.14.2-160000.4.1

openSUSE Leap 16.0:ocaml-ocamldoc-4.14.2-160000.4.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-28364.html
CVE-2026-28364
https://bugzilla.suse.com/1258992
SUSE Bug 1258992

openSUSE-SU-2026:20368-1

Описание

Список пакетов

openSUSE Leap 16.0

Ссылки

Уязвимость: CVE-2026-28364

Описание

Затронутые продукты

Ссылки