Bug#991486: unblock: racket/7.9+dfsg1-2
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Please unblock package racket
[ Reason ]
This upload fixes a recently announced security bug in racket
(#991327, CVE-2021-32773).
[ Impact ]
The main use of sandboxing that I know about is the handin-server used
to run student code. Operators of the the handin-server face the
possibility of arbitrary remote code execution (from authenticated
users) when running the unpatched version of racket 7.9. This is a
relatively small subset of the users of racket, but possibly a group
more likely to be running Debian stable (since it is a multi-user
service).
[ Tests ]
The following manual tests have been applied:
0) The package installs and drracket runs on a bullseye / amd64 system
1) The upstream provided test [1] verifies that the vulnerability is fixed in 7.9+dfsg1-2
2) I ran the test suite of sparktope, a research project that uses racket to implement compiler front-end.
[ Risks ]
racket is almost a leaf package (minlog and racket-mode are the only (Build)-rdeps)
outside the source).
On the other hand, the change is to the expander, which
racket interpreter.
[ Checklist ]
[X] all changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in testing
[ Other info ]
The changes consist of two patches. The first patch [2] updates the
racket source and docs, and the second [3] propagates those changes to
the generated C code used to build the interpreter. The second commit
is not really verifiable other than by following the sequence of
instructions in the commit message and comparing the results. I chose
this method because to re-generate the code at build time would have
needed a second build. On top of potential packaging bugs (being in
CDBS doesn't help my confidence here), this might be too much for some
architectures, given the build takes about 3h. I could try to do the
generation at build time, but it would most likely cause some delay in
addition to the identified risks.
unblock racket/7.9+dfsg1-2
[1]: https://gist.github.com/mflatt/f4231d8b9f2418f189d839e587235f04
[2]: https://salsa.debian.org/bremner/racket/-/commit/f34ab2ac023d35dd77c74040863e938180740ca2
[3]: https://salsa.debian.org/bremner/racket/-/commit/6c691f2fc7129bb692093ae0b022e9e8b1e71e85
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEkiyHYXwaY0SiY6fqA0U5G1WqFSEFAmD9jrsACgkQA0U5G1Wq
FSG1chAAlBRLs7IUIEp/RT4cWYOsycoiKBDV6C2kfHggidTYbie4EfRbVqaCXY3K
gU6x4rTaP8Z6jlEdgF9cdGWj2Sy+sb9JMBuVr31XyG5SewxEU02NoS7Fa+yTeo1X
g6h5fndpVooekd0JPlZwr83aT7abrgq1de768hMl2KDL5fPENooEbcFEOecq1wFY
3nb1YcYrRaXXLQzzs2A5zzS8zctjM6BSLT0kl1afC0xRJlBBoqgE6yEh4GGHfNoG
c1wx2m6VaVwSTwdskkEDpNRADnXUkAeE/9VMju5RJPg2g7aYaHWYy42XhEH+g8DT
aszEbvr4lfON5lnoJ5mANSbTP4fcGl+NZ9Ij8m4UiAVymXoY/HO2SUO9pE4pn1p0
xX1eQbpfXJJne3Xqv159+DZitm7aHGRXRAFb3p2lqtUIuwTM0YkYoBwEGdzk59RY
OUIvRmKi92m+fq+Hhc+fhKwRPfS3eHk/HgMShrjIB96BnvTL6zU/Jts47BE2FEgo
+F8ZGyY8f2kpbGZqGkchYcKI5nvX/bM3ndAS1kTk1kQzGN7/gt0gxOBPvtS1SRhv
t2lCfmyc133qnXheFj6GfIE2R/lSJI1jfXnxNmQ6tw/V8Ju5TjW7xibUHlOqdw6z
jRsdDDvA2A5J1+jsroR/tfsyc2UwzwbuykXqPg65WBpWZT5fbew=
=KkK0
-----END PGP SIGNATURE-----
diff -Nru racket-7.9+dfsg1/debian/changelog racket-7.9+dfsg1/debian/changelog
--- racket-7.9+dfsg1/debian/changelog 2020-12-08 20:47:19.000000000 -0400
+++ racket-7.9+dfsg1/debian/changelog 2021-07-24 11:13:09.000000000 -0300
@@ -1,3 +1,11 @@
+racket (7.9+dfsg1-2) unstable; urgency=medium
+
+ * Bug fix: "CVE-2021-32773", thanks to Moritz Mühlenhoff (Closes:
+ #991327). Backport commit aa2e814a02 from racket 8.2. See also
+ https://github.com/racket/racket/issues/3923
+
+ -- David Bremner <bremner@debian.org> Sat, 24 Jul 2021 11:13:09 -0300
+
racket (7.9+dfsg1-1) unstable; urgency=medium
* New upstream release
diff -Nru racket-7.9+dfsg1/debian/patches/0001-prohibit-import-from-module-with-a-weak-code-inspect.patch racket-7.9+dfsg1/debian/patches/0001-prohibit-import-from-module-with-a-weak-code-inspect.patch
--- racket-7.9+dfsg1/debian/patches/0001-prohibit-import-from-module-with-a-weak-code-inspect.patch 1969-12-31 20:00:00.000000000 -0400
+++ racket-7.9+dfsg1/debian/patches/0001-prohibit-import-from-module-with-a-weak-code-inspect.patch 2021-07-24 11:13:09.000000000 -0300
@@ -0,0 +1,104 @@
+From: Matthew Flatt <mflatt@racket-lang.org>
+Date: Sun, 27 Jun 2021 08:46:02 -0600
+Subject: prohibit import from module with a weak code inspector
+
+Cherry-picking commit aa2e814a02, with changes to generated files
+dropped. This change alone will not fix #991327; the code in
+src/bc/src/startup.inc needs to be regenerated by running "make
+expander" in src/expander.
+---
+ .../scribblings/reference/code-inspectors.scrbl | 12 +++++++++---
+ src/expander/namespace/module.rkt | 20 ++++++++++++++++----
+ 2 files changed, 25 insertions(+), 7 deletions(-)
+
+diff --git a/share/pkgs/racket-doc/scribblings/reference/code-inspectors.scrbl b/share/pkgs/racket-doc/scribblings/reference/code-inspectors.scrbl
+index b5037a5..2af93a8 100644
+--- a/share/pkgs/racket-doc/scribblings/reference/code-inspectors.scrbl
++++ b/share/pkgs/racket-doc/scribblings/reference/code-inspectors.scrbl
+@@ -22,11 +22,13 @@ of @racket[current-code-inspector] never changes, then no control is
+ lost for any module invocation, since the module's invocation is
+ associated with a sub-inspector of @racket[current-code-inspector].
+
+-When an inspector that controls a module invocation is installed
+-@racket[current-code-inspector], it enables the following
++When an inspector that controls a module invocation is installed with
++@racket[current-code-inspector], it enables using
+ @racket[module->namespace] on the module, and it enables access to the
+ module's protected exports (i.e., those identifiers exported from the
+-module with @racket[protect-out]) via @racket[dynamic-require].
++module with @racket[protect-out]) via @racket[dynamic-require]. A
++module cannot @racket[require] a module that has a weaker
++declaration-time code inspector.
+
+ When a @racket[module] form is expanded or a @tech{namespace} is
+ created, the value of @racket[current-code-inspector] is associated
+@@ -56,6 +58,10 @@ particular module registry can be changed via
+ @racket[namespace-unprotect-module] (but changing the inspector
+ requires control over the old one).
+
++@history[#:changed "8.1.0.8" @elem{Added constraint against
++ @racket[require] of a module with
++ a weaker code inspector.}]
++
+ @defparam[current-code-inspector insp inspector?]{
+
+ A @tech{parameter} that determines an inspector to control access to
+diff --git a/src/expander/namespace/module.rkt b/src/expander/namespace/module.rkt
+index b19273e..6d66c5d 100644
+--- a/src/expander/namespace/module.rkt
++++ b/src/expander/namespace/module.rkt
+@@ -376,7 +376,8 @@
+ #:skip-run? [skip-run? #f]
+ #:otherwise-available? [otherwise-available? #t]
+ #:seen [seen #hasheq()]
+- #:seen-list [seen-list null])
++ #:seen-list [seen-list null]
++ #:minimum-inspector [minimum-inspector #f])
+ (unless (module-path-index? mpi)
+ (error "not a module path index:" mpi))
+ (define name (module-path-index-resolve mpi #t))
+@@ -390,7 +391,8 @@
+ #:skip-run? skip-run?
+ #:otherwise-available? otherwise-available?
+ #:seen seen
+- #:seen-list seen-list))
++ #:seen-list seen-list
++ #:minimum-inspector minimum-inspector))
+ ;; If the module is cross-phase persistent, make sure it's instantiated
+ ;; at phase 0 and registered in `ns` as phaseless; otherwise
+ (cond
+@@ -417,7 +419,8 @@
+ #:skip-run? skip-run?
+ #:otherwise-available? otherwise-available?
+ #:seen [seen #hasheq()]
+- #:seen-list [seen-list null])
++ #:seen-list [seen-list null]
++ #:minimum-inspector [minimum-inspector #f])
+ (performance-region
+ ['eval 'requires]
+ ;; Nothing to do if we've run this phase already and made the
+@@ -425,6 +428,14 @@
+ (define m-ns (module-instance-namespace mi))
+ (define instance-phase (namespace-0-phase m-ns))
+ (define run-phase-level (phase- run-phase instance-phase))
++ (define inspector (module-inspector (module-instance-module mi)))
++ (when minimum-inspector
++ (unless (or (eq? inspector minimum-inspector)
++ (inspector-superior? inspector minimum-inspector))
++ (error 'require
++ "cannot import module with weaker code inspector\n module: ~a"
++ (module-path-index-resolve
++ (namespace-mpi (module-instance-namespace mi))))))
+ (unless (and (or skip-run?
+ (eq? 'started (small-hash-ref (module-instance-phase-level-to-state mi) run-phase-level #f)))
+ (or (not otherwise-available?)
+@@ -464,7 +475,8 @@
+ #:skip-run? skip-run?
+ #:otherwise-available? otherwise-available?
+ #:seen (hash-set seen mi #t)
+- #:seen-list (cons mi seen-list))))
++ #:seen-list (cons mi seen-list)
++ #:minimum-inspector inspector)))
+
+ ;; Run or make available phases of the module body:
+ (unless (label-phase? instance-phase)
diff -Nru racket-7.9+dfsg1/debian/patches/0002-regenerate-startup.inc.patch racket-7.9+dfsg1/debian/patches/0002-regenerate-startup.inc.patch
--- racket-7.9+dfsg1/debian/patches/0002-regenerate-startup.inc.patch 1969-12-31 20:00:00.000000000 -0400
+++ racket-7.9+dfsg1/debian/patches/0002-regenerate-startup.inc.patch 2021-07-24 11:13:09.000000000 -0300
@@ -0,0 +1,839 @@
+From: David Bremner <bremner@debian.org>
+Date: Sat, 24 Jul 2021 11:09:02 -0300
+Subject: regenerate startup.inc
+
+This propagates the changes of 9c85d00a to the expander source used in
+the build. The commit was generated by the following procedure.
+
+% cd src
+% make
+% make install
+% cd expander
+% make expander
+% git add ../bc/src/startup.inc
+---
+ src/bc/src/startup.inc | 478 +++++++++++++++++++++++++++----------------------
+ 1 file changed, 264 insertions(+), 214 deletions(-)
+
+diff --git a/src/bc/src/startup.inc b/src/bc/src/startup.inc
+index 048907f..ad7879f 100644
+--- a/src/bc/src/startup.inc
++++ b/src/bc/src/startup.inc
+@@ -14034,38 +14034,38 @@ static const char *startup_source =
+ "(let-values(((name_0)(1/module-path-index-resolve name-mpi_0)))"
+ "(let-values(((m-ns_0)"
+ "(let-values(((the-struct_0)"
+-"(let-values(((ns138_0) ns_0)"
+-"((root-expand-ctx139_0) root-expand-ctx_0)"
+-"((temp140_0) #f))"
+-"(new-namespace.1 temp140_0 root-expand-ctx139_0 ns138_0))))"
++"(let-values(((ns142_0) ns_0)"
++"((root-expand-ctx143_0) root-expand-ctx_0)"
++"((temp144_0) #f))"
++"(new-namespace.1 temp144_0 root-expand-ctx143_0 ns142_0))))"
+ "(if(1/namespace? the-struct_0)"
+-"(let-values(((mpi130_0) name-mpi_0)"
+-"((source-name131_0)(resolved-module-path-root-name name_0))"
+-"((phase132_0) phase_0)"
+-"((0-phase133_0) phase_0)"
+-"((submodule-declarations134_0)"
++"(let-values(((mpi134_0) name-mpi_0)"
++"((source-name135_0)(resolved-module-path-root-name name_0))"
++"((phase136_0) phase_0)"
++"((0-phase137_0) phase_0)"
++"((submodule-declarations138_0)"
+ "(if for-submodule?_0"
+ "(namespace-submodule-declarations ns_0)"
+ "(make-small-hasheq)))"
+-"((available-module-instances135_0)(make-hasheqv))"
+-"((module-instances136_0)(make-hasheqv))"
+-"((declaration-inspector137_0)(current-code-inspector)))"
++"((available-module-instances139_0)(make-hasheqv))"
++"((module-instances140_0)(make-hasheqv))"
++"((declaration-inspector141_0)(current-code-inspector)))"
+ "(namespace1.1"
+-" mpi130_0"
+-" source-name131_0"
++" mpi134_0"
++" source-name135_0"
+ "(namespace-root-expand-ctx the-struct_0)"
+-" phase132_0"
+-" 0-phase133_0"
++" phase136_0"
++" 0-phase137_0"
+ "(namespace-phase-to-namespace the-struct_0)"
+ "(namespace-phase-level-to-definitions the-struct_0)"
+ "(namespace-module-registry$1 the-struct_0)"
+ "(namespace-bulk-binding-registry the-struct_0)"
+-" submodule-declarations134_0"
++" submodule-declarations138_0"
+ "(namespace-root-namespace the-struct_0)"
+-" declaration-inspector137_0"
++" declaration-inspector141_0"
+ "(namespace-inspector the-struct_0)"
+-" available-module-instances135_0"
+-" module-instances136_0))"
++" available-module-instances139_0"
++" module-instances140_0))"
+ " (raise-argument-error 'struct-copy \"namespace?\" the-struct_0)))))"
+ "(let-values((()"
+ "(begin"
+@@ -14096,10 +14096,10 @@ static const char *startup_source =
+ "(let-values(((prior-mi_0)"
+ "(if prior-m_0"
+ "(if(not(eq? m_0 prior-m_0))"
+-"(let-values(((ns141_0) ns_0)"
+-"((mod-name142_0) mod-name_0)"
+-"((temp143_0)(namespace-phase ns_0)))"
+-"(namespace->module-instance.1 #f #f void ns141_0 mod-name142_0 temp143_0))"
++"(let-values(((ns145_0) ns_0)"
++"((mod-name146_0) mod-name_0)"
++"((temp147_0)(namespace-phase ns_0)))"
++"(namespace->module-instance.1 #f #f void ns145_0 mod-name146_0 temp147_0))"
+ " #f)"
+ " #f)))"
+ "(begin"
+@@ -14132,29 +14132,30 @@ static const char *startup_source =
+ "(set-module-instance-shifted-requires! prior-mi_0 #f)"
+ "(if visit?_0"
+ "(let-values()"
+-"(let-values(((ns144_0) ns_0)"
+-"((temp145_0)(namespace-mpi m-ns_0))"
+-"((phase146_0) phase_0))"
++"(let-values(((ns148_0) ns_0)"
++"((temp149_0)(namespace-mpi m-ns_0))"
++"((phase150_0) phase_0))"
+ "(namespace-module-visit!.1"
+ " unsafe-undefined"
+-" ns144_0"
+-" temp145_0"
+-" phase146_0)))"
++" ns148_0"
++" temp149_0"
++" phase150_0)))"
+ "(void))"
+ "(if run?_0"
+ "(let-values()"
+-"(let-values(((ns147_0) ns_0)"
+-"((temp148_0)(namespace-mpi m-ns_0))"
+-"((phase149_0) phase_0))"
++"(let-values(((ns151_0) ns_0)"
++"((temp152_0)(namespace-mpi m-ns_0))"
++"((phase153_0) phase_0))"
+ "(namespace-module-instantiate!.1"
++" #f"
+ " #t"
+ " unsafe-undefined"
+ " '#hasheq()"
+ " null"
+ " #f"
+-" ns147_0"
+-" temp148_0"
+-" phase149_0)))"
++" ns151_0"
++" temp152_0"
++" phase153_0)))"
+ "(void))))))))))"
+ "(void)))))))))))))"
+ "(define-values"
+@@ -14245,32 +14246,32 @@ static const char *startup_source =
+ "(let-values(((m-ns_0)"
+ "(let-values(((the-struct_0) ns_0))"
+ "(if(1/namespace? the-struct_0)"
+-"(let-values(((mpi150_0)(namespace-mpi existing-m-ns_0))"
+-"((source-name151_0)(namespace-source-name existing-m-ns_0))"
+-"((root-expand-ctx152_0)(box(unbox(namespace-root-expand-ctx existing-m-ns_0))))"
+-"((phase153_0)(namespace-phase existing-m-ns_0))"
+-"((0-phase154_0)(namespace-0-phase existing-m-ns_0))"
+-"((phase-to-namespace155_0)(make-small-hasheqv))"
+-"((phase-level-to-definitions156_0)"
++"(let-values(((mpi154_0)(namespace-mpi existing-m-ns_0))"
++"((source-name155_0)(namespace-source-name existing-m-ns_0))"
++"((root-expand-ctx156_0)(box(unbox(namespace-root-expand-ctx existing-m-ns_0))))"
++"((phase157_0)(namespace-phase existing-m-ns_0))"
++"((0-phase158_0)(namespace-0-phase existing-m-ns_0))"
++"((phase-to-namespace159_0)(make-small-hasheqv))"
++"((phase-level-to-definitions160_0)"
+ "(if(module-cross-phase-persistent? m_0)"
+ "(namespace-phase-level-to-definitions existing-m-ns_0)"
+ "(make-small-hasheqv)))"
+-"((declaration-inspector157_0)(module-inspector m_0))"
+-"((inspector158_0)(namespace-inspector existing-m-ns_0)))"
++"((declaration-inspector161_0)(module-inspector m_0))"
++"((inspector162_0)(namespace-inspector existing-m-ns_0)))"
+ "(namespace1.1"
+-" mpi150_0"
+-" source-name151_0"
+-" root-expand-ctx152_0"
+-" phase153_0"
+-" 0-phase154_0"
+-" phase-to-namespace155_0"
+-" phase-level-to-definitions156_0"
++" mpi154_0"
++" source-name155_0"
++" root-expand-ctx156_0"
++" phase157_0"
++" 0-phase158_0"
++" phase-to-namespace159_0"
++" phase-level-to-definitions160_0"
+ "(namespace-module-registry$1 the-struct_0)"
+ "(namespace-bulk-binding-registry the-struct_0)"
+ "(namespace-submodule-declarations the-struct_0)"
+ "(namespace-root-namespace the-struct_0)"
+-" declaration-inspector157_0"
+-" inspector158_0"
++" declaration-inspector161_0"
++" inspector162_0"
+ "(namespace-available-module-instances the-struct_0)"
+ "(namespace-module-instances the-struct_0)))"
+ " (raise-argument-error 'struct-copy \"namespace?\" the-struct_0)))))"
+@@ -14329,33 +14330,33 @@ static const char *startup_source =
+ "(let-values(((m-ns_0)"
+ "(let-values(((the-struct_0) ns_0))"
+ "(if(1/namespace? the-struct_0)"
+-"(let-values(((mpi159_0) mpi_0)"
+-"((source-name160_0)"
++"(let-values(((mpi163_0) mpi_0)"
++"((source-name164_0)"
+ "(let-values(((or-part_0)(module-source-name m_0)))"
+ "(if or-part_0"
+ " or-part_0"
+ "(resolved-module-path-root-name(1/module-path-index-resolve mpi_0)))))"
+-"((root-expand-ctx161_0)(box #f))"
+-"((phase162_0) 0-phase_0)"
+-"((0-phase163_0) 0-phase_0)"
+-"((phase-to-namespace164_0)(make-small-hasheqv))"
+-"((phase-level-to-definitions165_0)(make-small-hasheqv))"
+-"((declaration-inspector166_0)(module-inspector m_0))"
+-"((inspector167_0)(make-inspector(module-inspector m_0))))"
++"((root-expand-ctx165_0)(box #f))"
++"((phase166_0) 0-phase_0)"
++"((0-phase167_0) 0-phase_0)"
++"((phase-to-namespace168_0)(make-small-hasheqv))"
++"((phase-level-to-definitions169_0)(make-small-hasheqv))"
++"((declaration-inspector170_0)(module-inspector m_0))"
++"((inspector171_0)(make-inspector(module-inspector m_0))))"
+ "(namespace1.1"
+-" mpi159_0"
+-" source-name160_0"
+-" root-expand-ctx161_0"
+-" phase162_0"
+-" 0-phase163_0"
+-" phase-to-namespace164_0"
+-" phase-level-to-definitions165_0"
++" mpi163_0"
++" source-name164_0"
++" root-expand-ctx165_0"
++" phase166_0"
++" 0-phase167_0"
++" phase-to-namespace168_0"
++" phase-level-to-definitions169_0"
+ "(namespace-module-registry$1 the-struct_0)"
+ "(namespace-bulk-binding-registry the-struct_0)"
+ "(namespace-submodule-declarations the-struct_0)"
+ "(namespace-root-namespace the-struct_0)"
+-" declaration-inspector166_0"
+-" inspector167_0"
++" declaration-inspector170_0"
++" inspector171_0"
+ "(namespace-available-module-instances the-struct_0)"
+ "(namespace-module-instances the-struct_0)))"
+ " (raise-argument-error 'struct-copy \"namespace?\" the-struct_0)))))"
+@@ -14408,57 +14409,59 @@ static const char *startup_source =
+ "(let-values(((unavailable-callback_0) unavailable-callback67_0))"
+ "(let-values()"
+ "(let-values(((mi_0)"
+-"(let-values(((ns168_0) ns_0)"
+-"((name169_0) name_0)"
+-"((0-phase170_0) 0-phase_0)"
+-"((complain-on-failure?171_0) complain-on-failure?_0)"
+-"((check-available-at-phase-level172_0) check-available-at-phase-level_0)"
+-"((unavailable-callback173_0) unavailable-callback_0))"
++"(let-values(((ns172_0) ns_0)"
++"((name173_0) name_0)"
++"((0-phase174_0) 0-phase_0)"
++"((complain-on-failure?175_0) complain-on-failure?_0)"
++"((check-available-at-phase-level176_0) check-available-at-phase-level_0)"
++"((unavailable-callback177_0) unavailable-callback_0))"
+ "(namespace->module-instance.1"
+-" check-available-at-phase-level172_0"
+-" complain-on-failure?171_0"
+-" unavailable-callback173_0"
+-" ns168_0"
+-" name169_0"
+-" 0-phase170_0))))"
++" check-available-at-phase-level176_0"
++" complain-on-failure?175_0"
++" unavailable-callback177_0"
++" ns172_0"
++" name173_0"
++" 0-phase174_0))))"
+ "(if mi_0(module-instance-namespace mi_0) #f))))))))))))"
+ "(define-values"
+ "(namespace-record-module-instance-attached!)"
+ "(lambda(ns_0 mod-name_0 phase_0)"
+ "(begin"
+ "(let-values(((mi_0)"
+-"(let-values(((ns174_0) ns_0)((mod-name175_0) mod-name_0)((phase176_0) phase_0))"
+-"(namespace->module-instance.1 #f #f void ns174_0 mod-name175_0 phase176_0))))"
++"(let-values(((ns178_0) ns_0)((mod-name179_0) mod-name_0)((phase180_0) phase_0))"
++"(namespace->module-instance.1 #f #f void ns178_0 mod-name179_0 phase180_0))))"
+ "(set-module-instance-attached?! mi_0 #t)))))"
+ "(define-values"
+ "(module-force-bulk-binding!)"
+ "(lambda(m_0 ns_0)(begin((module-force-bulk-binding m_0)(namespace-bulk-binding-registry ns_0)))))"
+ "(define-values"
+ "(namespace-module-instantiate!.1)"
+-"(lambda(otherwise-available?77_0"
++"(lambda(minimum-inspector80_0"
++" otherwise-available?77_0"
+ " run-phase75_0"
+ " seen78_0"
+ " seen-list79_0"
+ " skip-run?76_0"
+-" ns85_0"
+-" mpi86_0"
+-" instance-phase87_0)"
++" ns87_0"
++" mpi88_0"
++" instance-phase89_0)"
+ "(begin"
+ " 'namespace-module-instantiate!"
+-"(let-values(((ns_0) ns85_0))"
+-"(let-values(((mpi_0) mpi86_0))"
+-"(let-values(((instance-phase_0) instance-phase87_0))"
++"(let-values(((ns_0) ns87_0))"
++"(let-values(((mpi_0) mpi88_0))"
++"(let-values(((instance-phase_0) instance-phase89_0))"
+ "(let-values(((run-phase_0)(if(eq? run-phase75_0 unsafe-undefined)(namespace-phase ns_0) run-phase75_0)))"
+ "(let-values(((skip-run?_0) skip-run?76_0))"
+ "(let-values(((otherwise-available?_0) otherwise-available?77_0))"
+ "(let-values(((seen_0) seen78_0))"
+ "(let-values(((seen-list_0) seen-list79_0))"
++"(let-values(((minimum-inspector_0) minimum-inspector80_0))"
+ "(let-values()"
+ "(let-values((()"
+ "(begin"
+ "(if(1/module-path-index? mpi_0)"
+ "(void)"
+-" (let-values () (error \"not a module path index:\" mpi_0)))"
++" (let-values () (error \"not a module path index:\" mpi_0)))"
+ "(values))))"
+ "(let-values(((name_0)(1/module-path-index-resolve mpi_0 #t)))"
+ "(let-values(((m_0)(namespace->module ns_0 name_0)))"
+@@ -14474,17 +14477,17 @@ static const char *startup_source =
+ " 'instantiate!"
+ "(let-values(((mi_0)"
+ "(let-values(((or-part_0)"
+-"(let-values(((ns184_0) ns_1)"
+-"((name185_0) name_0)"
+-"((instance-phase186_0)"
++"(let-values(((ns189_0) ns_1)"
++"((name190_0) name_0)"
++"((instance-phase191_0)"
+ " instance-phase_1))"
+ "(namespace->module-instance.1"
+ " #f"
+ " #f"
+ " void"
+-" ns184_0"
+-" name185_0"
+-" instance-phase186_0))))"
++" ns189_0"
++" name190_0"
++" instance-phase191_0))))"
+ "(if or-part_0"
+ " or-part_0"
+ "(namespace-create-module-instance!"
+@@ -14493,21 +14496,23 @@ static const char *startup_source =
+ " instance-phase_1"
+ " m_0"
+ " mpi_0)))))"
+-"(let-values(((mi177_0) mi_0)"
+-"((ns178_0) ns_1)"
+-"((run-phase179_0) run-phase_1)"
+-"((skip-run?180_0) skip-run?_0)"
+-"((otherwise-available?181_0) otherwise-available?_0)"
+-"((seen182_0) seen_0)"
+-"((seen-list183_0) seen-list_0))"
++"(let-values(((mi181_0) mi_0)"
++"((ns182_0) ns_1)"
++"((run-phase183_0) run-phase_1)"
++"((skip-run?184_0) skip-run?_0)"
++"((otherwise-available?185_0) otherwise-available?_0)"
++"((seen186_0) seen_0)"
++"((seen-list187_0) seen-list_0)"
++"((minimum-inspector188_0) minimum-inspector_0))"
+ "(run-module-instance!.1"
+-" otherwise-available?181_0"
+-" run-phase179_0"
+-" seen182_0"
+-" seen-list183_0"
+-" skip-run?180_0"
+-" mi177_0"
+-" ns178_0)))))))"
++" minimum-inspector188_0"
++" otherwise-available?185_0"
++" run-phase183_0"
++" seen186_0"
++" seen-list187_0"
++" skip-run?184_0"
++" mi181_0"
++" ns182_0)))))))"
+ "(if(module-cross-phase-persistent? m_0)"
+ "(let-values()"
+ "(instantiate!_0"
+@@ -14515,68 +14520,79 @@ static const char *startup_source =
+ " 0"
+ "(let-values(((or-part_0)(namespace-root-namespace ns_0)))"
+ "(if or-part_0 or-part_0 ns_0))))"
+-"(let-values()(instantiate!_0 instance-phase_0 run-phase_0 ns_0))))))))))))))))))))"
++"(let-values()"
++"(instantiate!_0 instance-phase_0 run-phase_0 ns_0)))))))))))))))))))))"
+ "(define-values"
+ "(namespace-module-visit!.1)"
+-"(lambda(visit-phase89_0 ns91_0 mpi92_0 instance-phase93_0)"
++"(lambda(visit-phase91_0 ns93_0 mpi94_0 instance-phase95_0)"
+ "(begin"
+ " 'namespace-module-visit!"
+-"(let-values(((ns_0) ns91_0))"
+-"(let-values(((mpi_0) mpi92_0))"
+-"(let-values(((instance-phase_0) instance-phase93_0))"
++"(let-values(((ns_0) ns93_0))"
++"(let-values(((mpi_0) mpi94_0))"
++"(let-values(((instance-phase_0) instance-phase95_0))"
+ "(let-values(((visit-phase_0)"
+-"(if(eq? visit-phase89_0 unsafe-undefined)(namespace-phase ns_0) visit-phase89_0)))"
++"(if(eq? visit-phase91_0 unsafe-undefined)(namespace-phase ns_0) visit-phase91_0)))"
+ "(let-values()"
+-"(let-values(((ns187_0) ns_0)"
+-"((mpi188_0) mpi_0)"
+-"((instance-phase189_0) instance-phase_0)"
+-"((temp190_0)(add1 visit-phase_0)))"
++"(let-values(((ns192_0) ns_0)"
++"((mpi193_0) mpi_0)"
++"((instance-phase194_0) instance-phase_0)"
++"((temp195_0)(add1 visit-phase_0)))"
+ "(namespace-module-instantiate!.1"
++" #f"
+ " #t"
+-" temp190_0"
++" temp195_0"
+ " '#hasheq()"
+ " null"
+ " #f"
+-" ns187_0"
+-" mpi188_0"
+-" instance-phase189_0))))))))))"
++" ns192_0"
++" mpi193_0"
++" instance-phase194_0))))))))))"
+ "(define-values"
+ "(namespace-module-make-available!.1)"
+-"(lambda(visit-phase95_0 ns97_0 mpi98_0 instance-phase99_0)"
++"(lambda(visit-phase97_0 ns99_0 mpi100_0 instance-phase101_0)"
+ "(begin"
+ " 'namespace-module-make-available!"
+-"(let-values(((ns_0) ns97_0))"
+-"(let-values(((mpi_0) mpi98_0))"
+-"(let-values(((instance-phase_0) instance-phase99_0))"
++"(let-values(((ns_0) ns99_0))"
++"(let-values(((mpi_0) mpi100_0))"
++"(let-values(((instance-phase_0) instance-phase101_0))"
+ "(let-values(((visit-phase_0)"
+-"(if(eq? visit-phase95_0 unsafe-undefined)(namespace-phase ns_0) visit-phase95_0)))"
++"(if(eq? visit-phase97_0 unsafe-undefined)(namespace-phase ns_0) visit-phase97_0)))"
+ "(let-values()"
+-"(let-values(((ns191_0) ns_0)"
+-"((mpi192_0) mpi_0)"
+-"((instance-phase193_0) instance-phase_0)"
+-"((temp194_0)(add1 visit-phase_0))"
+-"((temp195_0) #t))"
++"(let-values(((ns196_0) ns_0)"
++"((mpi197_0) mpi_0)"
++"((instance-phase198_0) instance-phase_0)"
++"((temp199_0)(add1 visit-phase_0))"
++"((temp200_0) #t))"
+ "(namespace-module-instantiate!.1"
++" #f"
+ " #t"
+-" temp194_0"
++" temp199_0"
+ " '#hasheq()"
+ " null"
+-" temp195_0"
+-" ns191_0"
+-" mpi192_0"
+-" instance-phase193_0))))))))))"
++" temp200_0"
++" ns196_0"
++" mpi197_0"
++" instance-phase198_0))))))))))"
+ "(define-values"
+ "(run-module-instance!.1)"
+-"(lambda(otherwise-available?103_0 run-phase101_0 seen104_0 seen-list105_0 skip-run?102_0 mi111_0 ns112_0)"
++"(lambda(minimum-inspector108_0"
++" otherwise-available?105_0"
++" run-phase103_0"
++" seen106_0"
++" seen-list107_0"
++" skip-run?104_0"
++" mi115_0"
++" ns116_0)"
+ "(begin"
+ " 'run-module-instance!"
+-"(let-values(((mi_0) mi111_0))"
+-"(let-values(((ns_0) ns112_0))"
+-"(let-values(((run-phase_0) run-phase101_0))"
+-"(let-values(((skip-run?_0) skip-run?102_0))"
+-"(let-values(((otherwise-available?_0) otherwise-available?103_0))"
+-"(let-values(((seen_0) seen104_0))"
+-"(let-values(((seen-list_0) seen-list105_0))"
++"(let-values(((mi_0) mi115_0))"
++"(let-values(((ns_0) ns116_0))"
++"(let-values(((run-phase_0) run-phase103_0))"
++"(let-values(((skip-run?_0) skip-run?104_0))"
++"(let-values(((otherwise-available?_0) otherwise-available?105_0))"
++"(let-values(((seen_0) seen106_0))"
++"(let-values(((seen-list_0) seen-list107_0))"
++"(let-values(((minimum-inspector_0) minimum-inspector108_0))"
+ "(let-values()"
+ "(begin"
+ "(if log-performance?(let-values()(start-performance-region 'eval 'requires))(void))"
+@@ -14585,6 +14601,22 @@ static const char *startup_source =
+ "(let-values(((m-ns_0)(module-instance-namespace mi_0)))"
+ "(let-values(((instance-phase_0)(namespace-0-phase m-ns_0)))"
+ "(let-values(((run-phase-level_0)(phase- run-phase_0 instance-phase_0)))"
++"(let-values(((inspector_0)(module-inspector(module-instance-module mi_0))))"
++"(begin"
++"(if minimum-inspector_0"
++"(let-values()"
++"(if(let-values(((or-part_0)(eq? inspector_0 minimum-inspector_0)))"
++"(if or-part_0"
++" or-part_0"
++"(inspector-superior? inspector_0 minimum-inspector_0)))"
++"(void)"
++"(let-values()"
++"(error"
++" 'require"
++" \"cannot import module with weaker code inspector\\n module: ~a\""
++"(1/module-path-index-resolve"
++"(namespace-mpi(module-instance-namespace mi_0)))))))"
++"(void))"
+ "(if(if(let-values(((or-part_0) skip-run?_0))"
+ "(if or-part_0"
+ " or-part_0"
+@@ -14607,7 +14639,7 @@ static const char *startup_source =
+ "(let-values()"
+ "(error"
+ " 'require"
+-" \"import cycle detected; trying to run module being expanded\")))"
++" \"import cycle detected; trying to run module being expanded\")))"
+ "(values))))"
+ "(let-values(((mpi_0)(namespace-mpi m-ns_0)))"
+ "(let-values(((phase-shift_0) instance-phase_0))"
+@@ -14620,9 +14652,11 @@ static const char *startup_source =
+ " 'require"
+ "(apply"
+ " string-append"
+-" \"import cycle detected during module instantiation\\n\""
+-" \" dependency chain:\""
+-"(module-instances->indented-module-names mi_0 seen-list_0))))"
++" \"import cycle detected during module instantiation\\n\""
++" \" dependency chain:\""
++"(module-instances->indented-module-names"
++" mi_0"
++" seen-list_0))))"
+ "(void))"
+ "(if(module-instance-shifted-requires mi_0)"
+ "(void)"
+@@ -14632,7 +14666,8 @@ static const char *startup_source =
+ "(reverse$1"
+ "(let-values(((lst_0)(module-requires m_0)))"
+ "(begin"
+-"(if(variable-reference-from-unsafe?(#%variable-reference))"
++"(if(variable-reference-from-unsafe?"
++"(#%variable-reference))"
+ "(void)"
+ "(let-values()(check-list lst_0)))"
+ "((letrec-values(((for-loop_0)"
+@@ -14641,9 +14676,11 @@ static const char *startup_source =
+ " 'for-loop"
+ "(if(pair? lst_1)"
+ "(let-values(((phase+mpis_0)"
+-"(unsafe-car lst_1))"
++"(unsafe-car"
++" lst_1))"
+ "((rest_0)"
+-"(unsafe-cdr lst_1)))"
++"(unsafe-cdr"
++" lst_1)))"
+ "(let-values(((fold-var_1)"
+ "(let-values(((fold-var_1)"
+ " fold-var_0))"
+@@ -14707,7 +14744,9 @@ static const char *startup_source =
+ "(values"
+ " fold-var_2)))))"
+ "(if(not #f)"
+-"(for-loop_0 fold-var_1 rest_0)"
++"(for-loop_0"
++" fold-var_1"
++" rest_0)"
+ " fold-var_1)))"
+ " fold-var_0)))))"
+ " for-loop_0)"
+@@ -14765,38 +14804,41 @@ static const char *startup_source =
+ "(let-values()"
+ "(begin"
+ "(let-values()"
+-"(let-values(((ns196_0)"
++"(let-values(((ns201_0)"
+ " ns_0)"
+-"((req-mpi197_0)"
++"((req-mpi202_0)"
+ " req-mpi_0)"
+-"((temp198_0)"
++"((temp203_0)"
+ "(phase+"
+ " instance-phase_0"
+ " req-phase_0))"
+-"((run-phase199_0)"
++"((run-phase204_0)"
+ " run-phase_0)"
+-"((skip-run?200_0)"
++"((skip-run?205_0)"
+ " skip-run?_0)"
+-"((otherwise-available?201_0)"
++"((otherwise-available?206_0)"
+ " otherwise-available?_0)"
+-"((temp202_0)"
++"((temp207_0)"
+ "(hash-set"
+ " seen_0"
+ " mi_0"
+ " #t))"
+-"((temp203_0)"
++"((temp208_0)"
+ "(cons"
+ " mi_0"
+-" seen-list_0)))"
++" seen-list_0))"
++"((inspector209_0)"
++" inspector_0))"
+ "(namespace-module-instantiate!.1"
+-" otherwise-available?201_0"
+-" run-phase199_0"
+-" temp202_0"
+-" temp203_0"
+-" skip-run?200_0"
+-" ns196_0"
+-" req-mpi197_0"
+-" temp198_0)))"
++" inspector209_0"
++" otherwise-available?206_0"
++" run-phase204_0"
++" temp207_0"
++" temp208_0"
++" skip-run?205_0"
++" ns201_0"
++" req-mpi202_0"
++" temp203_0)))"
+ "(values)))))"
+ "(values)))))"
+ "(if(not"
+@@ -14825,7 +14867,8 @@ static const char *startup_source =
+ "((end_0)(sub1(module-min-phase-level m_0)))"
+ "((inc_0) -1))"
+ "(begin"
+-"(if(variable-reference-from-unsafe?(#%variable-reference))"
++"(if(variable-reference-from-unsafe?"
++"(#%variable-reference))"
+ "(void)"
+ "(let-values()(check-range start_0 end_0 inc_0)))"
+ "((letrec-values(((for-loop_0)"
+@@ -14940,7 +14983,8 @@ static const char *startup_source =
+ "(values)))))"
+ "(values)))))"
+ "(if(not #f)"
+-"(for-loop_0(+ pos_0 inc_0))"
++"(for-loop_0"
++"(+ pos_0 inc_0))"
+ "(values))))"
+ "(values))))))"
+ " for-loop_0)"
+@@ -14955,30 +14999,30 @@ static const char *startup_source =
+ "(small-hash-set!"
+ "(module-instance-phase-level-to-state mi_0)"
+ " run-phase-level_0"
+-" 'started)))))))))))))))"
+-"(if log-performance?(let-values()(end-performance-region))(void)))))))))))))))"
++" 'started)))))))))))))))))"
++"(if log-performance?(let-values()(end-performance-region))(void))))))))))))))))"
+ "(define-values"
+ "(namespace-visit-available-modules!)"
+ "(let-values(((namespace-visit-available-modules!_0)"
+-"(lambda(ns115_0 run-phase114_0)"
++"(lambda(ns119_0 run-phase118_0)"
+ "(begin"
+ " 'namespace-visit-available-modules!"
+-"(let-values(((ns_0) ns115_0))"
++"(let-values(((ns_0) ns119_0))"
+ "(let-values(((run-phase_0)"
+-"(if(eq? run-phase114_0 unsafe-undefined)(namespace-phase ns_0) run-phase114_0)))"
++"(if(eq? run-phase118_0 unsafe-undefined)(namespace-phase ns_0) run-phase118_0)))"
+ "(let-values()(namespace-run-available-modules! ns_0(add1 run-phase_0)))))))))"
+ "(case-lambda"
+ "((ns_0)(begin(namespace-visit-available-modules!_0 ns_0 unsafe-undefined)))"
+-"((ns_0 run-phase114_0)(namespace-visit-available-modules!_0 ns_0 run-phase114_0)))))"
++"((ns_0 run-phase118_0)(namespace-visit-available-modules!_0 ns_0 run-phase118_0)))))"
+ "(define-values"
+ "(namespace-run-available-modules!)"
+ "(let-values(((namespace-run-available-modules!_0)"
+-"(lambda(ns117_0 run-phase116_0)"
++"(lambda(ns121_0 run-phase120_0)"
+ "(begin"
+ " 'namespace-run-available-modules!"
+-"(let-values(((ns_0) ns117_0))"
++"(let-values(((ns_0) ns121_0))"
+ "(let-values(((run-phase_0)"
+-"(if(eq? run-phase116_0 unsafe-undefined)(namespace-phase ns_0) run-phase116_0)))"
++"(if(eq? run-phase120_0 unsafe-undefined)(namespace-phase ns_0) run-phase120_0)))"
+ "(let-values()"
+ "(registry-call-with-lock"
+ "(namespace-module-registry$1 ns_0)"
+@@ -15022,24 +15066,25 @@ static const char *startup_source =
+ "(let-values()"
+ "(begin"
+ "(let-values()"
+-"(let-values(((mi204_0)"
++"(let-values(((mi210_0)"
+ " mi_0)"
+-"((ns205_0)"
++"((ns211_0)"
+ " ns_0)"
+-"((run-phase206_0)"
++"((run-phase212_0)"
+ " run-phase_0)"
+-"((temp207_0)"
++"((temp213_0)"
+ " #f)"
+-"((temp208_0)"
++"((temp214_0)"
+ " #f))"
+ "(run-module-instance!.1"
+-" temp208_0"
+-" run-phase206_0"
++" #f"
++" temp214_0"
++" run-phase212_0"
+ " '#hasheq()"
+ " null"
+-" temp207_0"
+-" mi204_0"
+-" ns205_0)))"
++" temp213_0"
++" mi210_0"
++" ns211_0)))"
+ "(values)))))"
+ "(values)))))"
+ "(if(not #f)"
+@@ -15053,42 +15098,42 @@ static const char *startup_source =
+ " loop_0)))))))))))"
+ "(case-lambda"
+ "((ns_0)(begin(namespace-run-available-modules!_0 ns_0 unsafe-undefined)))"
+-"((ns_0 run-phase116_0)(namespace-run-available-modules!_0 ns_0 run-phase116_0)))))"
++"((ns_0 run-phase120_0)(namespace-run-available-modules!_0 ns_0 run-phase120_0)))))"
+ "(define-values"
+ "(namespace-primitive-module-visit!)"
+ "(lambda(ns_0 name_0)"
+ "(begin"
+ "(let-values(((mi_0)(hash-ref(namespace-module-instances ns_0)(1/make-resolved-module-path name_0))))"
+-"(let-values(((mi209_0) mi_0)((ns210_0) ns_0)((temp211_0) 1)((temp212_0) #f)((temp213_0) #t))"
+-"(run-module-instance!.1 temp213_0 temp211_0 '#hasheq() null temp212_0 mi209_0 ns210_0))))))"
++"(let-values(((mi215_0) mi_0)((ns216_0) ns_0)((temp217_0) 1)((temp218_0) #f)((temp219_0) #t))"
++"(run-module-instance!.1 #f temp219_0 temp217_0 '#hasheq() null temp218_0 mi215_0 ns216_0))))))"
+ "(define-values"
+ "(namespace-module-use->module+linklet-instances.1)"
+-"(lambda(phase-shift120_0 shift-from118_0 shift-to119_0 ns124_0 mu125_0)"
++"(lambda(phase-shift124_0 shift-from122_0 shift-to123_0 ns128_0 mu129_0)"
+ "(begin"
+ " 'namespace-module-use->module+linklet-instances"
+-"(let-values(((ns_0) ns124_0))"
+-"(let-values(((mu_0) mu125_0))"
+-"(let-values(((shift-from_0) shift-from118_0))"
+-"(let-values(((shift-to_0) shift-to119_0))"
+-"(let-values(((phase-shift_0) phase-shift120_0))"
++"(let-values(((ns_0) ns128_0))"
++"(let-values(((mu_0) mu129_0))"
++"(let-values(((shift-from_0) shift-from122_0))"
++"(let-values(((shift-to_0) shift-to123_0))"
++"(let-values(((phase-shift_0) phase-shift124_0))"
+ "(let-values()"
+ "(let-values(((mod_0)(module-use-module mu_0)))"
+ "(let-values(((mi_0)"
+-"(let-values(((ns214_0) ns_0)"
+-"((temp215_0)"
++"(let-values(((ns220_0) ns_0)"
++"((temp221_0)"
+ "(1/module-path-index-resolve"
+ "(if shift-from_0"
+ "(module-path-index-shift mod_0 shift-from_0 shift-to_0)"
+ " mod_0)))"
+-"((phase-shift216_0) phase-shift_0)"
+-"((temp217_0) #t))"
++"((phase-shift222_0) phase-shift_0)"
++"((temp223_0) #t))"
+ "(namespace->module-instance.1"
+ " #f"
+-" temp217_0"
++" temp223_0"
+ " void"
+-" ns214_0"
+-" temp215_0"
+-" phase-shift216_0))))"
++" ns220_0"
++" temp221_0"
++" phase-shift222_0))))"
+ "(let-values(((m-ns_0)(module-instance-namespace mi_0)))"
+ "(let-values(((d_0)"
+ "(small-hash-ref"
+@@ -28298,6 +28343,7 @@ static const char *startup_source =
+ "((run-phase248_0)"
+ " run-phase_0))"
+ "(namespace-module-instantiate!.1"
++" #f"
+ " #t"
+ " run-phase248_0"
+ " '#hasheq()"
+@@ -49111,6 +49157,7 @@ static const char *startup_source =
+ "((phase37_0)"
+ " phase_1))"
+ "(namespace-module-instantiate!.1"
++" #f"
+ " #t"
+ " unsafe-undefined"
+ " '#hasheq()"
+@@ -51969,6 +52016,7 @@ static const char *startup_source =
+ "((phase14_0) phase_0)"
+ "((temp15_0) #f))"
+ "(namespace-module-instantiate!.1"
++" #f"
+ " temp15_0"
+ " phase14_0"
+ " '#hasheq()"
+@@ -51984,6 +52032,7 @@ static const char *startup_source =
+ "((phase18_0) phase_0)"
+ "((phase19_0) phase_0))"
+ "(namespace-module-instantiate!.1"
++" #f"
+ " #t"
+ " phase19_0"
+ " '#hasheq()"
+@@ -52047,6 +52096,7 @@ static const char *startup_source =
+ "((phase27_0) phase_0)"
+ "((temp28_0) #f))"
+ "(namespace-module-instantiate!.1"
++" #f"
+ " temp28_0"
+ " phase27_0"
+ " '#hasheq()"
diff -Nru racket-7.9+dfsg1/debian/patches/series racket-7.9+dfsg1/debian/patches/series
--- racket-7.9+dfsg1/debian/patches/series 1969-12-31 20:00:00.000000000 -0400
+++ racket-7.9+dfsg1/debian/patches/series 2021-07-24 11:13:09.000000000 -0300
@@ -0,0 +1,2 @@
+0001-prohibit-import-from-module-with-a-weak-code-inspect.patch
+0002-regenerate-startup.inc.patch
Reply to: