Skip to content

Patch R 4.0.0 - R 4.3.3 for CVE-2024-27322 #219

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
May 17, 2024
Merged

Patch R 4.0.0 - R 4.3.3 for CVE-2024-27322 #219

merged 2 commits into from
May 17, 2024

Conversation

@gaborcsardi
Copy link
Contributor

We also update the NEWS file, so by grepping for
'CVE-2024-27322' one can tell if the patched version is installed or not.

@gaborcsardi
Patch R 4.0.0 - R 4.3.3 for CVE-2024-27322
e7a4919 
We also update the NEWS file, so by grepping for
'CVE-2024-27322' one can tell if the patched version
is installed or not.
@gaborcsardi gaborcsardi requested a review from glin May 15, 2024 14:37
glin
glin reviewed May 15, 2024
View reviewed changes
@stevenolen
Copy link
Contributor

That NEWS change implies that users will need to reinstall all packages in their existing environments -- is that correct?

@gaborcsardi
Copy link
Contributor Author

gaborcsardi commented May 16, 2024
edited
Loading

That NEWS change implies that users will need to reinstall all packages in their existing environments -- is that correct?

No, no need to reinstall packages. What you see above is not our patch, it is the regular R NEWS, and what they mean is that if you installed packages for earlier versions of R (i.e. 3.6.x or earlier in this case), you cannot use those with R 4.0.0.

But sensible people install packages into libraries that are specific for a certain (minor) R version, so in practice no need to reinstall anything.

@stevenolen
Copy link
Contributor

But sensible people install packages into libraries that are specific for a certain (minor) R version, so in practice no need to reinstall anything.

Ah, yes. Definitely a standard expectation for us.

@dithwick dithwick mentioned this pull request May 17, 2024
Closed
@gaborcsardi
CVE-2024-27322: update NEWS.Rd
42f8c4b 
At install time the other NEWS files will be
re-generated from NEWS.Rd.

To check if your R version is patched, search for
'CVE-2024-27322' in the NEWS. From the command line:
```
grep -C 5 CVE-2024-27322 /opt/R/4.0.0/lib/R/doc/NEWS
```

From R:
```
options(browser = "false")
news(grepl("CVE-2024-27322", Text))
```
@gaborcsardi
Copy link
Contributor Author

gaborcsardi commented May 17, 2024
edited
Loading

@glin OK, this should be better now. All the other NEWS files (NEWS, NEWS.pdf, NEWS.html) are re-generated at install time, so we don't patch those.

To check if your R version is patched, search for CVE-2024-27322' in the NEWS.

From the command line:

grep -C 5 CVE-2024-27322 /opt/R/4.0.0/lib/R/doc/NEWS
  CHANGES IN POSIT'S BUILD FROM <URL:
  https://github.com/rstudio/r-builds>:

    * readRDS() and unserialize() now signal an error instead of
      returning a PROMSXP, to fix CVE-2024-27322.

  SIGNIFICANT USER-VISIBLE CHANGES:

    * Packages need to be (re-)installed under this version (4.0.0) of
      R.

From R:

options(browser = "false")
news(grepl("CVE-2024-27322", Text))
                        Changes in version 4.0.0                        

CHANGES IN POSIT'S BUILD FROM <URL:

    o   readRDS() and unserialize() now signal an error instead of
        returning a PROMSXP, to fix CVE-2024-27322.

(I am not sure why the URL does not show up in R, probably an R bug.)

glin
glin approved these changes May 17, 2024
View reviewed changes
Copy link
Contributor

@glin glin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, thanks for taking care of this.

@glin
Copy link
Contributor

glin commented May 17, 2024

@gaborcsardi Yeah it seems like an R bug. At least with 4.3.3, the URL shows up correctly:

> options(browser = "false")
> news(grepl("CVE-2024-27322", Text))

                        Changes in version 4.3.3                        

CHANGES IN POSIT'S BUILD FROM <https://github.com/rstudio/r-builds>

    o   readRDS() and unserialize() now signal an error instead of
	returning a PROMSXP, to fix CVE-2024-27322.

@edavidaja edavidaja linked an issue May 17, 2024 that may be closed by this pull request
Patching older versions of R for CVE-2024-27322 #218
Closed
@glin glin merged commit 4cbb798 into main May 17, 2024
@glin glin deleted the fix/CVE-2024-27322 branch May 20, 2024 23:06
@hadley hadley mentioned this pull request Sep 20, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@glin glin glin approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Patching older versions of R for CVE-2024-27322

3 participants

@gaborcsardi @stevenolen @glin