[R] De-serialization vulnerability?

peter dalgaard pd@|gd @end|ng |rom gm@||@com
Thu May 2 11:31:43 CEST 2024


As a general matter, security holes are usually not advertised by detailing them in the NEWS file. 

The disclosure of such things goes on a different schedule, typically _after_ binaries are out, at which point editing the NEWS file is too late. 

There are other things that do not go into NEWS: Documentation fixups, etc. What does go in is end-user visible functional changes and items that have an explicit PR# against them. 

- Peter D. 



> On 1 May 2024, at 18:57 , Howard, Tim G (DEC) via R-help <r-help using r-project.org> wrote:
> 
> All, 
> There seems to be a hullaboo about a vulnerability in R when deserializing untrusted data:
> 
> https://hiddenlayer.com/research/r-bitrary-code-execution
> 
> https://nvd.nist.gov/vuln/detail/CVE-2024-27322
> 
> https://www.kb.cert.org/vuls/id/238194
> 
> 
> Apparently a fix was made for R 4.4.0, but I see no mention of it in the changes report:
> 
> https://cloud.r-project.org/bin/windows/base/NEWS.R-4.4.0.html
> 
> Is this real?  Were there changes in R 4.4.0 that aren't reported?
> 
> Of course, we should *always* update to the most recent version, but I was confused why it wasn't mentioned in the release info. 
> 
> Thanks,
> Tim
> 
> ______________________________________________
> R-help using r-project.org mailing list -- To UNSUBSCRIBE and more, see
> https://stat.ethz.ch/mailman/listinfo/r-help
> PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
> and provide commented, minimal, self-contained, reproducible code.

-- 
Peter Dalgaard, Professor,
Center for Statistics, Copenhagen Business School
Solbjerg Plads 3, 2000 Frederiksberg, Denmark
Phone: (+45)38153501
Office: A 4.23
Email: pd.mes using cbs.dk  Priv: PDalgd using gmail.com



More information about the R-help mailing list