[R] Regarding the Security Vulnerability CVE 2024 - 27322
Ivan Krylov
|kry|ov @end|ng |rom d|@root@org
Wed Jun 26 22:25:18 CEST 2024
Dear Aishwarya Priyadarshini,
Welcome to R-help! Most people here aren't affiliated with R Foundation.
В Wed, 26 Jun 2024 17:03:37 +0000
"Priya, Aishwarya via R-help" <r-help using r-project.org> пишет:
> I am reaching out to seek your guidance on addressing the security
> vulnerability CVE-2024-27322.
> To address this issue effectively, it appears that we need to first
> uninstall the existing older version before installing the latest
> version. This process should ensure that the security vulnerability
> is adequately resolved.
What's your threat model?
If you need the CVE fix purely because you are required to install it
by some sort of regulations, installing R-4.4.0 and removing all older
versions of R is definitely the right thing to do.
If you actually need to be secure against untrusted *.rds or *.rda
files, R-4.4.0 or any other version of R will be of no help to you.
There are too many ways to make an R object dangerous to use, and the
*.rds and *.rda files will faithfully represent the trapped R object
even in the absence of any vulnerabilities in the parser:
https://aitap.github.io/2024/05/02/unserialize.html
If you only process *.rds and *.rda files you trust, you've never been
in danger from this so-called vulnerability. Feel free to keep running
older versions of R.
--
Best regards,
Ivan
More information about the R-help
mailing list