Re: [R] Regarding the Security Vulnerability CVE 2024 - 27322
В Thu, 27 Jun 2024 11:08:53 + "Priya, Aishwarya" пишет: > Is there a way to patch or upgrade the existing installation to > version 4.4.0, rather than having to uninstall the older version and > then install the latest one? I don't think that there is a supported way to do that. The main problem is the library, the place where the user-installed packages are stored. While it's not impossible to take a library from R-4.2, transplant it to R-4.4, and selectively upgrade only the packages that need to be reinstalled, it takes manual effort and a lot of care, so libraries in general are considered to be incompatible between major or minor R versions [1]. (They should stay compatible between patch versions.) Do I understand it correctly that you're only interested in the Windows builds of R? If you need the upgrade to change as little as possible, you can try to take the source code for the R version you would like to fix, apply a single patch [2] on top of it, compile R using the corresponding version of Rtools [3] and replace R.dll with the updated version. The version of R will remain old, but the installation will be formally immune to CVE 2024-27322. It should work, but there is no written document promising that it will work. [1] https://cran.r-project.org/bin/windows/base/rw-FAQ.html#What_0027s-the-best-way-to-upgrade_003f [2] https://stat.ethz.ch/pipermail/r-devel/2024-April/083393.html [3] https://cran.r-project.org/bin/windows/base/howto-R-devel.html -- Best regards, Ivan __ R-help@r-project.org mailing list -- To UNSUBSCRIBE and more, see https://stat.ethz.ch/mailman/listinfo/r-help PLEASE do read the posting guide http://www.R-project.org/posting-guide.html and provide commented, minimal, self-contained, reproducible code.
Re: [R] Regarding the Security Vulnerability CVE 2024 - 27322
Hi Ivan and R - Help Team, Thank you for your prompt response and the helpful information. I have another query: Is there a way to patch or upgrade the existing installation to version 4.4.0, rather than having to uninstall the older version and then install the latest one? A direct upgrade or patch would greatly simplify the process and reduce downtime. Your guidance on this matter would be greatly appreciated. Thank you once again for your assistance. Thanks & Regards, Aishwarya Priyadarshini TMX Software Delivery, Virtualization & Telemetry Dell Digital | Team Member eXperience aishwarya_pr...@dell.com --- Internal Use - Confidential -Original Message- From: Ivan Krylov Sent: Thursday, June 27, 2024 1:55 AM To: r-help@r-project.org Cc: Priya, Aishwarya Subject: Re: [R] Regarding the Security Vulnerability CVE 2024 - 27322 [EXTERNAL EMAIL] Dear Aishwarya Priyadarshini, Welcome to R-help! Most people here aren't affiliated with R Foundation. В Wed, 26 Jun 2024 17:03:37 + "Priya, Aishwarya via R-help" пишет: > I am reaching out to seek your guidance on addressing the security > vulnerability CVE-2024-27322. > To address this issue effectively, it appears that we need to first > uninstall the existing older version before installing the latest > version. This process should ensure that the security vulnerability is > adequately resolved. What's your threat model? If you need the CVE fix purely because you are required to install it by some sort of regulations, installing R-4.4.0 and removing all older versions of R is definitely the right thing to do. If you actually need to be secure against untrusted *.rds or *.rda files, R-4.4.0 or any other version of R will be of no help to you. There are too many ways to make an R object dangerous to use, and the *.rds and *.rda files will faithfully represent the trapped R object even in the absence of any vulnerabilities in the parser: https://urldefense.com/v3/__https://aitap.github.io/2024/05/02/unserialize.html__;!!LpKI!hEQ5oMp6_ra80HnvSAfdgKZt9ARNgbyOd8c5YyJFuWpSxoe_KV5GJppNJH1qabGv0xeYnGuABnLkherDiCFt$ [aitap[.]github[.]io] If you only process *.rds and *.rda files you trust, you've never been in danger from this so-called vulnerability. Feel free to keep running older versions of R. -- Best regards, Ivan __ R-help@r-project.org mailing list -- To UNSUBSCRIBE and more, see https://stat.ethz.ch/mailman/listinfo/r-help PLEASE do read the posting guide http://www.R-project.org/posting-guide.html and provide commented, minimal, self-contained, reproducible code.
Re: [R] Regarding the Security Vulnerability CVE 2024 - 27322
On 2024-06-26 4:25 p.m., Ivan Krylov via R-help wrote: Dear Aishwarya Priyadarshini, Welcome to R-help! Most people here aren't affiliated with R Foundation. В Wed, 26 Jun 2024 17:03:37 + "Priya, Aishwarya via R-help" пишет: I am reaching out to seek your guidance on addressing the security vulnerability CVE-2024-27322. To address this issue effectively, it appears that we need to first uninstall the existing older version before installing the latest version. This process should ensure that the security vulnerability is adequately resolved. What's your threat model? If you need the CVE fix purely because you are required to install it by some sort of regulations, installing R-4.4.0 and removing all older versions of R is definitely the right thing to do. If you actually need to be secure against untrusted *.rds or *.rda files, R-4.4.0 or any other version of R will be of no help to you. There are too many ways to make an R object dangerous to use, and the *.rds and *.rda files will faithfully represent the trapped R object even in the absence of any vulnerabilities in the parser: https://aitap.github.io/2024/05/02/unserialize.html If you only process *.rds and *.rda files you trust, you've never been in danger from this so-called vulnerability. Feel free to keep running older versions of R. I spent a little while working in a secure data centre where they wouldn't allow us shell access "for security reasons", but they did allow us to use R. It would have made things very inconvenient if I had told them about the system() command, so I didn't bother ... Ben Bolker __ R-help@r-project.org mailing list -- To UNSUBSCRIBE and more, see https://stat.ethz.ch/mailman/listinfo/r-help PLEASE do read the posting guide http://www.R-project.org/posting-guide.html and provide commented, minimal, self-contained, reproducible code.
Re: [R] Regarding the Security Vulnerability CVE 2024 - 27322
Dear Aishwarya Priyadarshini, Welcome to R-help! Most people here aren't affiliated with R Foundation. В Wed, 26 Jun 2024 17:03:37 + "Priya, Aishwarya via R-help" пишет: > I am reaching out to seek your guidance on addressing the security > vulnerability CVE-2024-27322. > To address this issue effectively, it appears that we need to first > uninstall the existing older version before installing the latest > version. This process should ensure that the security vulnerability > is adequately resolved. What's your threat model? If you need the CVE fix purely because you are required to install it by some sort of regulations, installing R-4.4.0 and removing all older versions of R is definitely the right thing to do. If you actually need to be secure against untrusted *.rds or *.rda files, R-4.4.0 or any other version of R will be of no help to you. There are too many ways to make an R object dangerous to use, and the *.rds and *.rda files will faithfully represent the trapped R object even in the absence of any vulnerabilities in the parser: https://aitap.github.io/2024/05/02/unserialize.html If you only process *.rds and *.rda files you trust, you've never been in danger from this so-called vulnerability. Feel free to keep running older versions of R. -- Best regards, Ivan __ R-help@r-project.org mailing list -- To UNSUBSCRIBE and more, see https://stat.ethz.ch/mailman/listinfo/r-help PLEASE do read the posting guide http://www.R-project.org/posting-guide.html and provide commented, minimal, self-contained, reproducible code.
