• en

OCaml 4.04.2

This page describes OCaml version 4.04.2, released on 2017-06-23. Go here for a list of all releases.

This release is available as multiple OPAM switches:

  • 4.04.2 — Official 4.04.2 release
  • 4.04.2+flambda — Official 4.04.2 release with flambda enabled
  • 4.04.2+fp — Official 4.04.2 release with frame pointers
  • 4.04.2+fp+flambda — Official 4.04.2 release with frame pointers and flambda enabled
  • 4.04.2+safe-string - Official 4.04.2 release with -safe-string enabled

For a comprehensive list of changes and details on all new features, bug fixes, optimizations, etc., please consult the changelog. There is also a crowdsourced annotated changelog for 4.04.0.

 Security Updates

The 4.04.2 release features an important security update, described in the security advisory below.

CVE-2017-9772: Privilege escalation in OCaml runtime for SUID executables

The environment variables CAML_CPLUGINS, CAML_NATIVE_CPLUGINS, and
CAML_BYTE_CPLUGINS can be used to auto-load code into any ocamlopt-compiled
executable or any ocamlc-compiled executable in ‘custom runtime mode’.
This can lead to privilege escalation if the executable is marked setuid.

Vulnerable versions: OCaml 4.04.0 and 4.04.1

Workarounds:
  - Upgrade to OCaml 4.04.2 or higher.
or - Compile the OCaml distribution with the "-no-cplugins" configure option.
or - OPAM users can "opam update && opam switch recompile 4.04.1", as
    the repository has had backported patches applied.

Impact: This only affects binaries that have been installed on Unix-like
operating systems (including Linux and macOS) with the setuid bit set.
However, in that situation, any user who execute the program gains all
the privileges of the owner of the executable (meaning that root-owned
setuid executables provide root access).

Fix: OCaml 4.04.2 mitigates this by modifying Sys.getenv and Unix.getenv
to raise an exception if the process has ever had elevated privileges.
The OCaml runtime has also been modified to use this function for
retrieving all of the runtime environment variables which could potentially
cause files to be accessed or modified.  The older behaviour is available
in the `caml_sys_unsafe_getenv` primitive for applications that require
strict compatibility.

Credits: This was originally reported by Eric Milliken on the OCaml Mantis
bug tracker. https://caml.inria.fr/mantis/view.php?id=7557

CVSS v2 Vector:
AV:L/AC:L/Au:S/C:C/I:C/A:N/E:F/RL:OF/RC:C/CDP:H/TD:L/CR:H/IR:H/AR:L
CWE ID: 114

What's new

Some of the highlights in release 4.04 are:

  • Exceptions can be declared locally within an expression, with syntax let exception ... in ...

  • Optimized memory representation for immutable records with a single field, and concrete types with a single constructor with a single argument. This is triggered with a @@unboxed attribute on the type definition.

  • Support for the Spacetime memory profiler was added.

For a comprehensive list of changes and details on all new features, bug fixes, optimizations, etc., please consult the changelog.

Source distribution

  • Source tarball (.tar.gz) for compilation under Unix (including Linux and MacOS X) and Microsoft Windows (including Cygwin).

  • Also available in .zip format.

  • OPAM is a source-based distribution of OCaml and many companion libraries and tools. Compilation and installation are automated by powerful package managers.

  • The official development repo is hosted on GitHub.

The INSTALL file of the distribution provides detailed compilation and installation instructions.

Binary distributions for Linux

Binary distributions for CentOS, Debian, Fedora, RHEL, Ubuntu are available here.

Binary distribution for Microsoft Windows

Four ports of OCaml for Microsoft Windows are currently available. For additional information, please consult the list of portability issues or the Windows release notes.

  • Cygwin-based native Win32 port. A self installer. The interactive loop comes with a simple graphical user interface. Some features require the Cygwin environment, which the installer can fetch for you. However, the compilers are, and generate true Win32 executables, which do not require Cygwin to run.

  • Microsoft-based native Win32 port. No binary distribution available yet; download the source distribution and compile it.

  • Cygwin-based port. Requires Cygwin. No graphical user interface is provided. The compilers generate executables that do require Cygwin. The precompiled binaries are part of the Cygwin distribution; you can install them using the Cygwin setup tool. Alternatively, download the source distribution and compile it under Cygwin.

  • Microsoft-based native Win64 port Same features as the Microsoft-based native Win32 port, but generates 64-bit code. No binary distribution available yet; download the source distribution and compile it.

Precompiled binaries for Solaris

Available at sunfreeware.com.

Alternative Compilers

Additionally, the following projects allow you to compile OCaml code to targets traditionally associated with other languages:

  • Js_of_ocaml is a stable OCaml to JavaScript compiler.

  • Bucklescript is a newer OCaml to JavaScript compiler. See its wiki for an explanation of how it differs from js_of_ocaml.

  • OCaml-java is a stable OCaml to Java compiler.

User's manual

The user's manual for OCaml can be: