930936 – (CVE-2024-27322) dev-lang/R: arbitrary code execution in R's deserialization

Bug 930936 (CVE-2024-27322) - dev-lang/R: arbitrary code execution in R's deserialization

Summary: dev-lang/R: arbitrary code execution in R's deserialization

Status:	CONFIRMED

Alias:	CVE-2024-27322

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal critical (vote)
Assignee:	Gentoo Security

URL:	https://hiddenlayer.com/research/r-bi...
Whiteboard:	A1 [ebuild]
Keywords:

Depends on:
Blocks:

Reported:	2024-04-29 16:33 UTC by Christopher Fore
Modified:	2024-04-29 16:40 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Christopher Fore 2024-04-29 16:33:19 UTC

CVE-2024-27322:

Deserialization of untrusted data can occur in the R statistical programming language, on any version starting at 1.4.0 up to and not including 4.4.0, enabling a maliciously crafted RDS (R Data Serialization) formatted file or R package to run arbitrary code on an end user’s system when interacted with. 



This above is fixed in 4.4.0.