Ivan Krylov
2024-Jun-26 20:25 UTC
[R] Regarding the Security Vulnerability CVE 2024 - 27322
Dear Aishwarya Priyadarshini, Welcome to R-help! Most people here aren't affiliated with R Foundation. ? Wed, 26 Jun 2024 17:03:37 +0000 "Priya, Aishwarya via R-help" <r-help at r-project.org> ?????:> I am reaching out to seek your guidance on addressing the security > vulnerability CVE-2024-27322.> To address this issue effectively, it appears that we need to first > uninstall the existing older version before installing the latest > version. This process should ensure that the security vulnerability > is adequately resolved.What's your threat model? If you need the CVE fix purely because you are required to install it by some sort of regulations, installing R-4.4.0 and removing all older versions of R is definitely the right thing to do. If you actually need to be secure against untrusted *.rds or *.rda files, R-4.4.0 or any other version of R will be of no help to you. There are too many ways to make an R object dangerous to use, and the *.rds and *.rda files will faithfully represent the trapped R object even in the absence of any vulnerabilities in the parser: https://aitap.github.io/2024/05/02/unserialize.html If you only process *.rds and *.rda files you trust, you've never been in danger from this so-called vulnerability. Feel free to keep running older versions of R. -- Best regards, Ivan
Ben Bolker
2024-Jun-26 20:36 UTC
[R] Regarding the Security Vulnerability CVE 2024 - 27322
On 2024-06-26 4:25 p.m., Ivan Krylov via R-help wrote:> Dear Aishwarya Priyadarshini, > > Welcome to R-help! Most people here aren't affiliated with R Foundation. > > ? Wed, 26 Jun 2024 17:03:37 +0000 > "Priya, Aishwarya via R-help" <r-help at r-project.org> ?????: > >> I am reaching out to seek your guidance on addressing the security >> vulnerability CVE-2024-27322. > >> To address this issue effectively, it appears that we need to first >> uninstall the existing older version before installing the latest >> version. This process should ensure that the security vulnerability >> is adequately resolved. > > What's your threat model? > > If you need the CVE fix purely because you are required to install it > by some sort of regulations, installing R-4.4.0 and removing all older > versions of R is definitely the right thing to do. > > If you actually need to be secure against untrusted *.rds or *.rda > files, R-4.4.0 or any other version of R will be of no help to you. > There are too many ways to make an R object dangerous to use, and the > *.rds and *.rda files will faithfully represent the trapped R object > even in the absence of any vulnerabilities in the parser: > https://aitap.github.io/2024/05/02/unserialize.html > > If you only process *.rds and *.rda files you trust, you've never been > in danger from this so-called vulnerability. Feel free to keep running > older versions of R. >I spent a little while working in a secure data centre where they wouldn't allow us shell access "for security reasons", but they did allow us to use R. It would have made things very inconvenient if I had told them about the system() command, so I didn't bother ... Ben Bolker
Priya, Aishwarya
2024-Jun-27 11:08 UTC
[R] Regarding the Security Vulnerability CVE 2024 - 27322
Hi Ivan and R - Help Team, Thank you for your prompt response and the helpful information. I have another query: Is there a way to patch or upgrade the existing installation to version 4.4.0, rather than having to uninstall the older version and then install the latest one? A direct upgrade or patch would greatly simplify the process and reduce downtime. Your guidance on this matter would be greatly appreciated. Thank you once again for your assistance. Thanks & Regards, Aishwarya Priyadarshini TMX Software Delivery, Virtualization & Telemetry Dell Digital | Team Member eXperience Aishwarya_Priya at Dell.com ----------------------------------------------------------------------------------------------------------------------------------- Internal Use - Confidential -----Original Message----- From: Ivan Krylov <ikrylov at disroot.org> Sent: Thursday, June 27, 2024 1:55 AM To: r-help at r-project.org Cc: Priya, Aishwarya <Aishwarya_Priya at Dell.com> Subject: Re: [R] Regarding the Security Vulnerability CVE 2024 - 27322 [EXTERNAL EMAIL] Dear Aishwarya Priyadarshini, Welcome to R-help! Most people here aren't affiliated with R Foundation. ? Wed, 26 Jun 2024 17:03:37 +0000 "Priya, Aishwarya via R-help" <r-help at r-project.org> ?????:> I am reaching out to seek your guidance on addressing the security > vulnerability CVE-2024-27322.> To address this issue effectively, it appears that we need to first > uninstall the existing older version before installing the latest > version. This process should ensure that the security vulnerability is > adequately resolved.What's your threat model? If you need the CVE fix purely because you are required to install it by some sort of regulations, installing R-4.4.0 and removing all older versions of R is definitely the right thing to do. If you actually need to be secure against untrusted *.rds or *.rda files, R-4.4.0 or any other version of R will be of no help to you. There are too many ways to make an R object dangerous to use, and the *.rds and *.rda files will faithfully represent the trapped R object even in the absence of any vulnerabilities in the parser: https://urldefense.com/v3/__https://aitap.github.io/2024/05/02/unserialize.html__;!!LpKI!hEQ5oMp6_ra80HnvSAfdgKZt9ARNgbyOd8c5YyJFuWpSxoe_KV5GJppNJH1qabGv0xeYnGuABnLkherDiCFt$ [aitap[.]github[.]io] If you only process *.rds and *.rda files you trust, you've never been in danger from this so-called vulnerability. Feel free to keep running older versions of R. -- Best regards, Ivan