R help - Jun 2024 - Regarding the Security Vulnerability CVE 2024 - 27322

Dear R Foundation Team,

I hope this message finds you well.
I am reaching out to seek your guidance on addressing the security vulnerability
CVE-2024-27322. As I understand, a security fix for this vulnerability has been
available starting from v4.4.0. This issue affects all versions from 1.4.0 to
4.3.3.

During our testing phase, we encountered a challenge while attempting to upgrade
to the secure version. Our devices were running version 4.3.3 and below, and we
tried to install version 4.4.0, hoping the installer would detect the older
version and perform an in-place upgrade. However, we observed that the new
version was installed alongside the older version rather than replacing it.
Consequently, this approach did not mitigate the security vulnerability.

To address this issue effectively, it appears that we need to first uninstall
the existing older version before installing the latest version. This process
should ensure that the security vulnerability is adequately resolved.

Could you please confirm if this is the recommended approach for handling this
specific security issue? Additionally, if there are any alternative methods or
best practices you could suggest for performing this upgrade seamlessly, we
would greatly appreciate your insights.

Thank you for your support and assistance in this matter.


Thanks & Regards,
Aishwarya Priyadarshini
TMX Software Delivery, Virtualization & Telemetry
Dell Digital | Team Member eXperience
Aishwarya_Priya at Dell.com<mailto:Aishwarya_Priya at Dell.com>



Internal Use - Confidential

	[[alternative HTML version deleted]]

Dear Aishwarya Priyadarshini,

Welcome to R-help! Most people here aren't affiliated with R Foundation.

? Wed, 26 Jun 2024 17:03:37 +0000
"Priya, Aishwarya via R-help" <r-help at r-project.org> ?????:
> I am reaching out to seek your guidance on addressing the security
> vulnerability CVE-2024-27322.
> To address this issue effectively, it appears that we need to first
> uninstall the existing older version before installing the latest
> version. This process should ensure that the security vulnerability
> is adequately resolved.
What's your threat model?

If you need the CVE fix purely because you are required to install it
by some sort of regulations, installing R-4.4.0 and removing all older
versions of R is definitely the right thing to do.

If you actually need to be secure against untrusted *.rds or *.rda
files, R-4.4.0 or any other version of R will be of no help to you.
There are too many ways to make an R object dangerous to use, and the
*.rds and *.rda files will faithfully represent the trapped R object
even in the absence of any vulnerabilities in the parser:
https://aitap.github.io/2024/05/02/unserialize.html

If you only process *.rds and *.rda files you trust, you've never been
in danger from this so-called vulnerability. Feel free to keep running
older versions of R.

-- 
Best regards,
Ivan