Bugzilla – Bug 1193877
VUL-0: CVE-2021-32773: racket: incorrect code evaluation may lead to privileges escalation
Last modified: 2022-01-21 09:01:30 UTC
Code evaluated using the Racket sandbox could cause system modules to incorrectly use attacker-created modules instead of their intended dependencies. This could allow system functions to be controlled by the attacker, giving access to facilities intended to be restricted. For systems that provide arbitrary Racket evaluation, external sandboxing such as containers limit the impact of the problem. For multi-user evaluation systems, such as the `handin-server` system, it is not possible to work around this problem and upgrading is required. Upstream Issue: https://github.com/racket/racket/security/advisories/GHSA-cgrw-p7p7-937c https://github.com/racket/racket/commit/6ca4ffeca1e5877d44f835760ad89f18488d97e1 References: https://bugzilla.redhat.com/show_bug.cgi?id=1985229 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-32773 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32773 https://github.com/racket/racket/security/advisories/GHSA-cgrw-p7p7-937c https://github.com/racket/racket/commit/6ca4ffeca1e5877d44f835760ad89f18488d97e1 http://www.cvedetails.com/cve/CVE-2021-32773/
Affected packages: - openSUSE:Backports:SLE-15-SP2/racket 7.3 - openSUSE:Backports:SLE-15-SP3/racket 7.3 Please update them to a non vulnerable version (>= 8.2).
The devel/misc/racket has been upgraded to 8.3. The TW racket package has been brought up to date as well. But it looks like https://build.opensuse.org/package/show/openSUSE:Backports:SLE-15-SP2/racket is maintained by different people. After having a quick look, they don't have a history of receiving requests. How should we proceed? Maybe cc them?
I added Max Lin as he recently upgraded racket for openSUSE:Backports:SLE-15-SP4 [0]. [0] https://build.opensuse.org/request/show/938464
security updates should be submitted against openSUSE:Backports:SLE-15-SP2:Update (please use "obs sm racket" to show the valid current targets)