Security advisory for racket/sandbox; fixed in v8.2
43 views
Skip to first unread message
Sam Tobin-Hochstadt
Jul 19, 2021, 2:35:47 PM7/19/21
to Racket Users
The Racket team recently became aware of a security vulnerability in
the `racket/sandbox` library. Code evaluated using a sandbox could
cause system modules to incorrectly use attacker-created modules
instead of their intended dependencies. This could allow system
functions to be controlled by the attacker, giving access to
facilities intended to be restricted.
The official advisory is at
https://github.com/racket/racket/security/advisories/GHSA-cgrw-p7p7-937c
To address this vulnerability, anyone who uses a sandbox to evaluate
untrusted code should upgrade to version 8.2. This includes all uses
of the Handin server.
For users of the Handin server, it now provides an API to restrict
`require`s for uses of teaching languages. We strongly encourage using
this API [1], which can prevent exploiting this bug as well as other
problems that access to full Racket or other installed modules might
expose.
Feedback on this advisory, and any security issues discovered in
Racket, is welcome at secu...@racket-lang.org
[1] the `#:requires` argument to `make-evaluator`, or the `requires`
arguments to `make-evaluator/submission` and similar.
Sam, for the Racket team
the `racket/sandbox` library. Code evaluated using a sandbox could
cause system modules to incorrectly use attacker-created modules
instead of their intended dependencies. This could allow system
functions to be controlled by the attacker, giving access to
facilities intended to be restricted.
The official advisory is at
https://github.com/racket/racket/security/advisories/GHSA-cgrw-p7p7-937c
To address this vulnerability, anyone who uses a sandbox to evaluate
untrusted code should upgrade to version 8.2. This includes all uses
of the Handin server.
For users of the Handin server, it now provides an API to restrict
`require`s for uses of teaching languages. We strongly encourage using
this API [1], which can prevent exploiting this bug as well as other
problems that access to full Racket or other installed modules might
expose.
Feedback on this advisory, and any security issues discovered in
Racket, is welcome at secu...@racket-lang.org
[1] the `#:requires` argument to `make-evaluator`, or the `requires`
arguments to `make-evaluator/submission` and similar.
Sam, for the Racket team
Sage Gerard
Jul 19, 2021, 3:40:01 PM7/19/21
to sa...@cs.indiana.edu, racket...@googlegroups.com
Thank you for letting us know.
-------- Original Message --------
~slg
-------- Original Message --------
--
You received this message because you are subscribed to the Google Groups "Racket Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to racket-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/racket-users/CAK%3DHD%2BZ5rnpqW1g27AzSEOSfmLLGqr86GQzkmjaw4cc7xtD4QQ%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages