Bug 1193877 (CVE-2021-32773)

Summary: VUL-0: CVE-2021-32773: racket: incorrect code evaluation may lead to privileges escalation
Product: [openSUSE] openSUSE Distribution Reporter: Gabriele Sonnu <gabriele.sonnu>
Component: SecurityAssignee: Fred Fu <moonsolo>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: mlin+factory, sbahling
Version: Leap 15.3   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/304611/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Gabriele Sonnu 2021-12-17 16:03:51 UTC
Code evaluated using the Racket sandbox could cause system modules to incorrectly use attacker-created modules instead of their intended dependencies. This could allow system functions to be controlled by the attacker, giving access to facilities intended to be restricted. For systems that provide arbitrary Racket evaluation, external sandboxing such as containers limit the impact of the problem. For multi-user evaluation systems, such as the `handin-server` system, it is not possible to work around this problem and upgrading is required.

Upstream Issue:

https://github.com/racket/racket/security/advisories/GHSA-cgrw-p7p7-937c
https://github.com/racket/racket/commit/6ca4ffeca1e5877d44f835760ad89f18488d97e1

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1985229
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-32773
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32773
https://github.com/racket/racket/security/advisories/GHSA-cgrw-p7p7-937c
https://github.com/racket/racket/commit/6ca4ffeca1e5877d44f835760ad89f18488d97e1
http://www.cvedetails.com/cve/CVE-2021-32773/
Comment 1 Gabriele Sonnu 2021-12-17 16:04:41 UTC
Affected packages:

 - openSUSE:Backports:SLE-15-SP2/racket  7.3
 - openSUSE:Backports:SLE-15-SP3/racket  7.3

Please update them to a non vulnerable version (>= 8.2).
Comment 2 Fred Fu 2021-12-17 16:29:50 UTC
The devel/misc/racket has been upgraded to 8.3. The TW racket package has been brought up to date as well. But it looks like https://build.opensuse.org/package/show/openSUSE:Backports:SLE-15-SP2/racket is maintained by different people. After having a quick look, they don't have a history of receiving requests. How should we proceed? Maybe cc them?
Comment 3 Gabriele Sonnu 2021-12-22 09:35:15 UTC
I added Max Lin as he recently upgraded racket for openSUSE:Backports:SLE-15-SP4 [0].

[0] https://build.opensuse.org/request/show/938464
Comment 4 Marcus Meissner 2022-01-21 09:01:30 UTC
security updates should be submitted against openSUSE:Backports:SLE-15-SP2:Update

(please use "obs sm racket" to show the valid current targets)