Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 930936 (CVE-2024-27322)

Summary: <dev-lang/R-4.4.1: arbitrary code execution in R's deserialization
Product: Gentoo Security Reporter: Christopher Fore <csfore>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: critical CC: sci-mathematics
Priority: Normal Keywords: PullRequest
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://hiddenlayer.com/research/r-bitrary-code-execution/
See Also: https://github.com/gentoo/gentoo/pull/36418
Whiteboard: A1 [glsa+]
Package list:
Runtime testing required: ---
Bug Depends on: 930652, 940022    
Bug Blocks:    

Description Christopher Fore 2024-04-29 16:33:19 UTC 
CVE-2024-27322:

Deserialization of untrusted data can occur in the R statistical programming language, on any version starting at 1.4.0 up to and not including 4.4.0, enabling a maliciously crafted RDS (R Data Serialization) formatted file or R package to run arbitrary code on an end user’s system when interacted with. 



This above is fixed in 4.4.0.
Comment 1 Hans de Graaff gentoo-dev Security 2024-08-14 09:06:40 UTC 
Ping. Can we file a stable bug for 4.4.1?
Comment 2 Larry the Git Cow gentoo-dev 2024-12-07 08:54:19 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=952a4853fc9ba82d1c45b5eafe3f8956630a1708

commit 952a4853fc9ba82d1c45b5eafe3f8956630a1708
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-12-07 08:53:34 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-12-07 08:54:17 +0000

    [ GLSA 202412-01 ] R: Arbitrary Code Execution
    
    Bug: https://bugs.gentoo.org/930936
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202412-01.xml | 42 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)