Bug 1193877 - (CVE-2021-32773) VUL-0: CVE-2021-32773: racket: incorrect code evaluation may lead to privileges escalation
(CVE-2021-32773)
VUL-0: CVE-2021-32773: racket: incorrect code evaluation may lead to privileg...
Status: NEW
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Security
Leap 15.3
Other Other
: P3 - Medium : Normal (vote)
: ---
Assigned To: Fred Fu
Security Team bot
https://smash.suse.de/issue/304611/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-12-17 16:03 UTC by Gabriele Sonnu
Modified: 2022-01-21 09:01 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Gabriele Sonnu 2021-12-17 16:03:51 UTC
Code evaluated using the Racket sandbox could cause system modules to incorrectly use attacker-created modules instead of their intended dependencies. This could allow system functions to be controlled by the attacker, giving access to facilities intended to be restricted. For systems that provide arbitrary Racket evaluation, external sandboxing such as containers limit the impact of the problem. For multi-user evaluation systems, such as the `handin-server` system, it is not possible to work around this problem and upgrading is required.

Upstream Issue:

https://github.com/racket/racket/security/advisories/GHSA-cgrw-p7p7-937c
https://github.com/racket/racket/commit/6ca4ffeca1e5877d44f835760ad89f18488d97e1

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1985229
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-32773
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32773
https://github.com/racket/racket/security/advisories/GHSA-cgrw-p7p7-937c
https://github.com/racket/racket/commit/6ca4ffeca1e5877d44f835760ad89f18488d97e1
http://www.cvedetails.com/cve/CVE-2021-32773/
Comment 1 Gabriele Sonnu 2021-12-17 16:04:41 UTC
Affected packages:

 - openSUSE:Backports:SLE-15-SP2/racket  7.3
 - openSUSE:Backports:SLE-15-SP3/racket  7.3

Please update them to a non vulnerable version (>= 8.2).
Comment 2 Fred Fu 2021-12-17 16:29:50 UTC
The devel/misc/racket has been upgraded to 8.3. The TW racket package has been brought up to date as well. But it looks like https://build.opensuse.org/package/show/openSUSE:Backports:SLE-15-SP2/racket is maintained by different people. After having a quick look, they don't have a history of receiving requests. How should we proceed? Maybe cc them?
Comment 3 Gabriele Sonnu 2021-12-22 09:35:15 UTC
I added Max Lin as he recently upgraded racket for openSUSE:Backports:SLE-15-SP4 [0].

[0] https://build.opensuse.org/request/show/938464
Comment 4 Marcus Meissner 2022-01-21 09:01:30 UTC
security updates should be submitted against openSUSE:Backports:SLE-15-SP2:Update

(please use "obs sm racket" to show the valid current targets)