[R] Regarding the Security Vulnerability CVE 2024 - 27322
Ben Bolker
bbo|ker @end|ng |rom gm@||@com
Wed Jun 26 22:36:51 CEST 2024
On 2024-06-26 4:25 p.m., Ivan Krylov via R-help wrote:
> Dear Aishwarya Priyadarshini,
>
> Welcome to R-help! Most people here aren't affiliated with R Foundation.
>
> В Wed, 26 Jun 2024 17:03:37 +0000
> "Priya, Aishwarya via R-help" <r-help using r-project.org> пишет:
>
>> I am reaching out to seek your guidance on addressing the security
>> vulnerability CVE-2024-27322.
>
>> To address this issue effectively, it appears that we need to first
>> uninstall the existing older version before installing the latest
>> version. This process should ensure that the security vulnerability
>> is adequately resolved.
>
> What's your threat model?
>
> If you need the CVE fix purely because you are required to install it
> by some sort of regulations, installing R-4.4.0 and removing all older
> versions of R is definitely the right thing to do.
>
> If you actually need to be secure against untrusted *.rds or *.rda
> files, R-4.4.0 or any other version of R will be of no help to you.
> There are too many ways to make an R object dangerous to use, and the
> *.rds and *.rda files will faithfully represent the trapped R object
> even in the absence of any vulnerabilities in the parser:
> https://aitap.github.io/2024/05/02/unserialize.html
>
> If you only process *.rds and *.rda files you trust, you've never been
> in danger from this so-called vulnerability. Feel free to keep running
> older versions of R.
>
I spent a little while working in a secure data centre where they
wouldn't allow us shell access "for security reasons", but they did
allow us to use R. It would have made things very inconvenient if I had
told them about the system() command, so I didn't bother ...
Ben Bolker
More information about the R-help
mailing list