On 12 June 2024 at 17:20, Vincent Danjean wrote: | Package: r-base | Version: 3.5.2-1 | Severity: important | Tags: security upstream | X-Debbugs-Cc: Debian Security Team <[email protected]> | | I create this bug in order to track the fix of this CVE in pre-trixie Debian | releases. I mark it as found in buster release, but it is also present in | older releases. I will mark it as fixed in 4.4.0-2 (currently sid and trixie). | | According to the CVE description: | Deserialization of untrusted data can occur in the R statistical programming | language, on any version starting at 1.4.0 up to and not including 4.4.0, | enabling a maliciously crafted RDS (R Data Serialization) formatted file or R | package to run arbitrary code on an end user’s system when interacted with. | | If possible, this bug should be fixed, at least in Debian stable (and possibly oldstable). | The reason is that, due to local code or library incompatibility, it is not | always easy/feasible to upgrade r-base without involving lots of work. And R is | used by lots of people that do not necessarily have enough skills to fix codes | when upgrading r-base and finding problems. | | Following CVE links, I found this patch: | https://src.fedoraproject.org/rpms/R/blob/f39/f/R-CVE-2024-27322.patch | It seems simple enought to have the hope that it can be applied to previous | r-base version (but I did not check it).
Just FYI the view of R Core (upstream) and the R Foundation (I'm on the board) is that this is a nothingburger. We would love for the CVE to be retracted but nobody (among a team of volunteers) has time or energy to pursue this. See https://blog.r-project.org/2024/05/10/statement-on-cve-2024-27322/index.html for the official statement. That said, the CVE is out there and distributors like us (it also hit me via the Rocker Project and the R docker containers we maintain there) get questions. Ah well. Cheers, Dirk | Regards, | Vincent | | -- System Information: | Debian Release: trixie/sid | APT prefers stable-updates | APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'oldstable-updates'), (500, 'oldstable-security'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (500, 'oldstable'), (1, 'experimental') | Architecture: amd64 (x86_64) | Foreign Architectures: i386, armel | | Kernel: Linux 6.8.9-amd64 (SMP w/4 CPU threads; PREEMPT) | Kernel taint flags: TAINT_OOT_MODULE | Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8), LANGUAGE not set | Shell: /bin/sh linked to /usr/bin/dash | Init: systemd (via /run/systemd/system) | | Versions of packages r-base depends on: | ii r-base-core 4.4.0-2 | ii r-recommended 4.4.0-2 | | Versions of packages r-base recommends: | ii r-base-html 4.4.0-2 | ii r-doc-html 4.4.0-2 | | Versions of packages r-base suggests: | ii elpa-ess 24.01.1-1 | pn r-doc-info | r-doc-pdf <none> | | -- no debconf information -- dirk.eddelbuettel.com | @eddelbuettel | [email protected]
