765361 – (CVE-2020-27637) <dev-lang/R-4.0.4: code execution via malicious CRAN package (CVE-2020-27637)

Bug 765361 (CVE-2020-27637) - <dev-lang/R-4.0.4: code execution via malicious CRAN package (CVE-2020-27637)

Summary: <dev-lang/R-4.0.4: code execution via malicious CRAN package (CVE-2020-27637)

Status:	IN_PROGRESS

Alias:	CVE-2020-27637

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:	https://labs.bishopfox.com/advisories...
Whiteboard:	B2 [glsa+]
Keywords:

Depends on:
Blocks:	776781
	Show dependency tree

Reported:	2021-01-13 22:40 UTC by John Helmert III
Modified:	2024-01-06 09:05 UTC (History)
CC List:	4 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2021-01-13 22:40:37 UTC

CVE-2020-27637:

The R programming language's default package manager CRAN is affected by a path traversal vulnerability that can lead to server compromise. This vulnerability affects packages installed via the R CMD install cli command or the install.packages() function from the interpreter. Update to version 4.0.3


Please bump.

Comment 1 Michael Orlitzky gentoo-dev

2021-03-10 00:24:04 UTC

Beat me to it:

commit ce6e78601bb5c33852051754f575272a05ef9c5c
Author: Mikle Kolyada <zlogene@gentoo.org>
Date:   Fri Mar 5 15:55:15 2021 +0300

    dev-lang/R: Version bump (v4.0.4)

    Package-Manager: Portage-3.0.13, Repoman-3.0.2
    Signed-off-by: Mikle Kolyada <zlogene@gentoo.org>

Comment 2 John Helmert III archtester

2021-03-10 01:15:24 UTC

Please proceed with stabilization when ready.

Comment 3 Michael Orlitzky gentoo-dev

2021-03-17 11:35:09 UTC

Let's get it stabilized... the existing stable ebuild has gcc-10 problems anyway.

Comment 4 Mikle Kolyada (RETIRED) archtester

2021-03-19 18:08:10 UTC

amd64 stable

Comment 5 Sam James archtester

2021-03-28 10:59:01 UTC

x86 done

Comment 6 Sam James archtester

2021-03-28 19:43:43 UTC

arm64 done

Comment 7 Rolf Eike Beer archtester

2021-04-11 20:17:38 UTC

sparc stable

Comment 8 John Helmert III archtester

2021-04-11 20:24:21 UTC

Please cleanup, thanks!

Comment 9 Larry the Git Cow gentoo-dev

2021-04-20 11:06:21 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=92d5e5c89778eb7ce15420c71a3f7abd0bdf6b7e

commit 92d5e5c89778eb7ce15420c71a3f7abd0bdf6b7e
Author:     David Seifert <soap@gentoo.org>
AuthorDate: 2021-04-20 11:06:05 +0000
Commit:     David Seifert <soap@gentoo.org>
CommitDate: 2021-04-20 11:06:05 +0000

    dev-lang/R: Remove old 3.4.1, 3.6.3-r1, 4.0.2
    
    Bug: https://bugs.gentoo.org/765361
    Closes: https://bugs.gentoo.org/776781
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: David Seifert <soap@gentoo.org>

 dev-lang/R/Manifest          |   3 -
 dev-lang/R/R-3.4.1.ebuild    | 203 ------------------------------------
 dev-lang/R/R-3.6.3-r1.ebuild | 234 -----------------------------------------
 dev-lang/R/R-4.0.2.ebuild    | 243 -------------------------------------------
 4 files changed, 683 deletions(-)

Comment 10 John Helmert III archtester

2021-04-20 13:13:47 UTC

Thank you!

Comment 11 NATTkA bot gentoo-dev

2021-07-29 17:24:31 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 12 NATTkA bot gentoo-dev

2021-07-29 17:33:01 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 13 NATTkA bot gentoo-dev

2021-07-29 17:40:52 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 14 NATTkA bot gentoo-dev

2021-07-29 17:49:03 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 15 NATTkA bot gentoo-dev

2021-07-29 18:04:58 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 16 NATTkA bot gentoo-dev

2021-07-29 18:13:16 UTC

Package list is empty or all packages have requested keywords.

Comment 17 Larry the Git Cow gentoo-dev

2024-01-06 09:04:23 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=6de45d78fb7f4cf3386f767a9e6b4d48cc85ce88

commit 6de45d78fb7f4cf3386f767a9e6b4d48cc85ce88
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-01-06 09:03:55 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-01-06 09:04:19 +0000

    [ GLSA 202401-07 ] R: Directory Traversal
    
    Bug: https://bugs.gentoo.org/765361
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202401-07.xml | 44 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 44 insertions(+)