[R-pkg-devel] Urgent Review of R Packages in Light of Recent RDS Exploit
Maciej Nasinski
n@@|n@k|@m@c|ej @end|ng |rom gm@||@com
Fri May 3 11:37:57 CEST 2024
I hope this message finds you well.
Following the recent announcement of a vulnerability related to the
RDS exploit in R
(https://hiddenlayer.com/research/r-bitrary-code-execution/).
Recent discussions on social media have raised concerns about the
credibility of the R language. Any code, including pure R code, can
potentially be malicious if it is executed without proper scrutiny.
It is worth noting that a similar problem was reported for the Python
pickle a few years ago:
https://hiddenlayer.com/research/weaponizing-machine-learning-models-with-ransomware/#Exploiting-Serialization.
In my opinion, not an exploit is a central problem, but if it is
introduced in any CRAN package.
I believe we must conduct a comprehensive review of all existing CRAN
packages. Additionally, I will expect an introduction of an additional
step in the R CMD check process. It is stated that R Team is aware of
that, and the exploit is fixed in R 4.4.0, but I can not find any
clear bullet point in the NEWS file for 4.4.0
(https://cran.r-project.org/doc/manuals/r-release/NEWS.html).
I look forward to your thoughts and collaborating closely on this urgent review.
KR
Maciej Nasinski
University of Warsaw
More information about the R-package-devel
mailing list