[Rd] Security assessment
Ivan Krylov
kry|ov@r00t @end|ng |rom gm@||@com
Wed Aug 30 11:42:13 CEST 2023
В Tue, 29 Aug 2023 15:43:24 +0000
"Jones, Jonathan D [US] (SP)" <Jonathan.Jones using ngc.com> пишет:
> Has any consideration or work been done to document or perform
> vulnerability testing for the R packages?
Is is specifically about third-party R packages or about R ecosystem as
a whole, including R itself?
This depends on your threat model, but generally, it's best not to
process untrusted data in R. As an example, see the stack overflow in
unserialize(), reported on R Bugzilla a few years ago. I am not aware
of any current vulnerabilities in R's built-in help server or the
network server packages hosted on CRAN, but I am not aware of them
having passed security audits, either, so it's best not to let R listen
on network ports on public networks.
> It would be a huge help to have a way to package whatever
> tools/libraries/etc into a adhoc package
CRAN packages are supposed to declare their third-party dependencies in
the SystemRequirements: field of their DESCRIPTION, but that's not the
only way a package could be bringing third-party code in the address
space of the R process. For example, some packages bundle their
dependencies inside the package archive without declaring anything,
which may mean falling behind in terms of security updates.
The CRAN team does their best to enforce the policy regarding the
third-party dependencies [*], but CRAN packages come with no warranty.
> or a breakdown of an R release contents
Would R Installation and Administration [**] help? R has a few
third-party dependencies, slightly different depending on the platform
(Windows/macOS/Unix-alikes), so make sure to check the sections for all
operating systems.
> Developers ask for specific library files and if I could map them to
> a package it would greatly reduce the amount of research.
By library files, do you mean external dependencies of a package, the
packages themselves, or something completely different?
--
Best regards,
Ivan
[*] https://cran.r-project.org/web/packages/policies.html
[**] https://cran.r-project.org/doc/manuals/r-release/R-admin.html
More information about the R-devel
mailing list