Impact
Code evaluated using the Racket sandbox could cause system modules to incorrectly use attacker-created modules instead of their intended dependencies. This could allow system functions to be controlled by the attacker, giving access to facilities intended to be restricted.
Patches
This problem is fixed in Racket version 8.2, now widely available from https://download.racket-lang.org.
Workarounds
For systems that provide arbitrary Racket evaluation, external sandboxing such as containers limit the impact of the problem. For multi-user evaluation systems, such as the handin-server system, it is not possible to work around this problem and upgrading is required.
For users of the Handin server, it now provides an API to restrict requires for uses of teaching languages. We strongly encourage using this API [1], which can prevent exploiting this bug as well as other problems that access to full Racket or other installed modules might expose.
For more information
If you have any questions or comments about this advisory:
mflatt Analyst
Impact
Code evaluated using the Racket sandbox could cause system modules to incorrectly use attacker-created modules instead of their intended dependencies. This could allow system functions to be controlled by the attacker, giving access to facilities intended to be restricted.
Patches
This problem is fixed in Racket version 8.2, now widely available from https://download.racket-lang.org.
Workarounds
For systems that provide arbitrary Racket evaluation, external sandboxing such as containers limit the impact of the problem. For multi-user evaluation systems, such as the
handin-serversystem, it is not possible to work around this problem and upgrading is required.For users of the Handin server, it now provides an API to restrict
requires for uses of teaching languages. We strongly encourage using this API [1], which can prevent exploiting this bug as well as other problems that access to full Racket or other installed modules might expose.For more information
If you have any questions or comments about this advisory: