Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 930936 (CVE-2024-27322) - <dev-lang/R-4.4.1: arbitrary code execution in R's deserialization
Summary: <dev-lang/R-4.4.1: arbitrary code execution in R's deserialization
Status: CONFIRMED
Alias: CVE-2024-27322
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal critical
Assignee: Gentoo Security
URL: https://hiddenlayer.com/research/r-bi...
Whiteboard: A1 [stable]
Keywords: PullRequest
Depends on: 940022 930652
Blocks:
  Show dependency tree
 
Reported: 2024-04-29 16:33 UTC by Christopher Fore
Modified: 2024-10-09 17:13 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Christopher Fore 2024-04-29 16:33:19 UTC
CVE-2024-27322:

Deserialization of untrusted data can occur in the R statistical programming language, on any version starting at 1.4.0 up to and not including 4.4.0, enabling a maliciously crafted RDS (R Data Serialization) formatted file or R package to run arbitrary code on an end user’s system when interacted with. 



This above is fixed in 4.4.0.
Comment 1 Hans de Graaff gentoo-dev Security 2024-08-14 09:06:40 UTC
Ping. Can we file a stable bug for 4.4.1?