Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 765361 (CVE-2020-27637) - <dev-lang/R-4.0.4: code execution via malicious CRAN package (CVE-2020-27637)
Summary: <dev-lang/R-4.0.4: code execution via malicious CRAN package (CVE-2020-27637)
Alias: CVE-2020-27637
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa?]
Depends on:
Blocks: 776781
  Show dependency tree
Reported: 2021-01-13 22:40 UTC by John Helmert III
Modified: 2021-07-29 18:13 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III gentoo-dev Security 2021-01-13 22:40:37 UTC

The R programming language's default package manager CRAN is affected by a path traversal vulnerability that can lead to server compromise. This vulnerability affects packages installed via the R CMD install cli command or the install.packages() function from the interpreter. Update to version 4.0.3

Please bump.
Comment 1 Michael Orlitzky gentoo-dev 2021-03-10 00:24:04 UTC
Beat me to it:

commit ce6e78601bb5c33852051754f575272a05ef9c5c
Author: Mikle Kolyada <>
Date:   Fri Mar 5 15:55:15 2021 +0300

    dev-lang/R: Version bump (v4.0.4)

    Package-Manager: Portage-3.0.13, Repoman-3.0.2
    Signed-off-by: Mikle Kolyada <>
Comment 2 John Helmert III gentoo-dev Security 2021-03-10 01:15:24 UTC
Please proceed with stabilization when ready.
Comment 3 Michael Orlitzky gentoo-dev 2021-03-17 11:35:09 UTC
Let's get it stabilized... the existing stable ebuild has gcc-10 problems anyway.
Comment 4 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2021-03-19 18:08:10 UTC
amd64 stable
Comment 5 Sam James archtester gentoo-dev Security 2021-03-28 10:59:01 UTC
x86 done
Comment 6 Sam James archtester gentoo-dev Security 2021-03-28 19:43:43 UTC
arm64 done
Comment 7 Rolf Eike Beer archtester 2021-04-11 20:17:38 UTC
sparc stable
Comment 8 John Helmert III gentoo-dev Security 2021-04-11 20:24:21 UTC
Please cleanup, thanks!
Comment 9 Larry the Git Cow gentoo-dev 2021-04-20 11:06:21 UTC
The bug has been referenced in the following commit(s):

commit 92d5e5c89778eb7ce15420c71a3f7abd0bdf6b7e
Author:     David Seifert <>
AuthorDate: 2021-04-20 11:06:05 +0000
Commit:     David Seifert <>
CommitDate: 2021-04-20 11:06:05 +0000

    dev-lang/R: Remove old 3.4.1, 3.6.3-r1, 4.0.2
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: David Seifert <>

 dev-lang/R/Manifest          |   3 -
 dev-lang/R/R-3.4.1.ebuild    | 203 ------------------------------------
 dev-lang/R/R-3.6.3-r1.ebuild | 234 -----------------------------------------
 dev-lang/R/R-4.0.2.ebuild    | 243 -------------------------------------------
 4 files changed, 683 deletions(-)
Comment 10 John Helmert III gentoo-dev Security 2021-04-20 13:13:47 UTC
Thank you!
Comment 11 NATTkA bot gentoo-dev 2021-07-29 17:24:31 UTC Comment hidden (obsolete)
Comment 12 NATTkA bot gentoo-dev 2021-07-29 17:33:01 UTC Comment hidden (obsolete)
Comment 13 NATTkA bot gentoo-dev 2021-07-29 17:40:52 UTC Comment hidden (obsolete)
Comment 14 NATTkA bot gentoo-dev 2021-07-29 17:49:03 UTC Comment hidden (obsolete)
Comment 15 NATTkA bot gentoo-dev 2021-07-29 18:04:58 UTC Comment hidden (obsolete)
Comment 16 NATTkA bot gentoo-dev 2021-07-29 18:13:16 UTC
Package list is empty or all packages have requested keywords.