On 2024-06-26 4:25 p.m., Ivan Krylov via R-help wrote:
Dear Aishwarya Priyadarshini,
Welcome to R-help! Most people here aren't affiliated with R Foundation.
В Wed, 26 Jun 2024 17:03:37 +0000
"Priya, Aishwarya via R-help" <r-help@r-project.org> пишет:
I am reaching out to seek your guidance on addressing the security
vulnerability CVE-2024-27322.
To address this issue effectively, it appears that we need to first
uninstall the existing older version before installing the latest
version. This process should ensure that the security vulnerability
is adequately resolved.
What's your threat model?
If you need the CVE fix purely because you are required to install it
by some sort of regulations, installing R-4.4.0 and removing all older
versions of R is definitely the right thing to do.
If you actually need to be secure against untrusted *.rds or *.rda
files, R-4.4.0 or any other version of R will be of no help to you.
There are too many ways to make an R object dangerous to use, and the
*.rds and *.rda files will faithfully represent the trapped R object
even in the absence of any vulnerabilities in the parser:
https://aitap.github.io/2024/05/02/unserialize.html
If you only process *.rds and *.rda files you trust, you've never been
in danger from this so-called vulnerability. Feel free to keep running
older versions of R.
I spent a little while working in a secure data centre where they
wouldn't allow us shell access "for security reasons", but they did
allow us to use R. It would have made things very inconvenient if I had
told them about the system() command, so I didn't bother ...
Ben Bolker
______________________________________________
R-help@r-project.org mailing list -- To UNSUBSCRIBE and more, see
https://stat.ethz.ch/mailman/listinfo/r-help
PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
and provide commented, minimal, self-contained, reproducible code.
