[R] Regarding the Security Vulnerability CVE 2024 - 27322

Priya, Aishwarya A|@hw@ry@@Pr|y@ @end|ng |rom de||@com
Thu Jun 27 13:08:53 CEST 2024 

Hi Ivan and R - Help Team,

Thank you for your prompt response and the helpful information.

I have another query: Is there a way to patch or upgrade the existing installation to version 4.4.0, rather than having to uninstall the older version and then install the latest one? A direct upgrade or patch would greatly simplify the process and reduce downtime.

Your guidance on this matter would be greatly appreciated.

Thank you once again for your assistance.

Thanks & Regards,
Aishwarya Priyadarshini
TMX Software Delivery, Virtualization & Telemetry
Dell Digital | Team Member eXperience
Aishwarya_Priya using Dell.com
-----------------------------------------------------------------------------------------------------------------------------------


Internal Use - Confidential
-----Original Message-----
From: Ivan Krylov <ikrylov using disroot.org>
Sent: Thursday, June 27, 2024 1:55 AM
To: r-help using r-project.org
Cc: Priya, Aishwarya <Aishwarya_Priya using Dell.com>
Subject: Re: [R] Regarding the Security Vulnerability CVE 2024 - 27322


[EXTERNAL EMAIL]

Dear Aishwarya Priyadarshini,

Welcome to R-help! Most people here aren't affiliated with R Foundation.

В Wed, 26 Jun 2024 17:03:37 +0000
"Priya, Aishwarya via R-help" <r-help using r-project.org> пишет:

> I am reaching out to seek your guidance on addressing the security
> vulnerability CVE-2024-27322.

> To address this issue effectively, it appears that we need to first
> uninstall the existing older version before installing the latest
> version. This process should ensure that the security vulnerability is
> adequately resolved.

What's your threat model?

If you need the CVE fix purely because you are required to install it by some sort of regulations, installing R-4.4.0 and removing all older versions of R is definitely the right thing to do.

If you actually need to be secure against untrusted *.rds or *.rda files, R-4.4.0 or any other version of R will be of no help to you.
There are too many ways to make an R object dangerous to use, and the *.rds and *.rda files will faithfully represent the trapped R object even in the absence of any vulnerabilities in the parser:
https://urldefense.com/v3/__https://aitap.github.io/2024/05/02/unserialize.html__;!!LpKI!hEQ5oMp6_ra80HnvSAfdgKZt9ARNgbyOd8c5YyJFuWpSxoe_KV5GJppNJH1qabGv0xeYnGuABnLkherDiCFt$ [aitap[.]github[.]io]

If you only process *.rds and *.rda files you trust, you've never been in danger from this so-called vulnerability. Feel free to keep running older versions of R.

--
Best regards,
Ivan

More information about the R-help mailing list