search

rstudio / r-builds

an opinionated environment for compiling R
GNU General Public License v3.0
101 stars 19 forks source link

Patch R 4.0.0 - R 4.3.3 for CVE-2024-27322 #219

Closed gaborcsardi closed 6 months ago

gaborcsardi commented 6 months ago

We also update the NEWS file, so by grepping for 'CVE-2024-27322' one can tell if the patched version is installed or not.

stevenolen commented 6 months ago

That NEWS change implies that users will need to reinstall all packages in their existing environments -- is that correct?

gaborcsardi commented 6 months ago

That NEWS change implies that users will need to reinstall all packages in their existing environments -- is that correct?

No, no need to reinstall packages. What you see above is not our patch, it is the regular R NEWS, and what they mean is that if you installed packages for earlier versions of R (i.e. 3.6.x or earlier in this case), you cannot use those with R 4.0.0.

But sensible people install packages into libraries that are specific for a certain (minor) R version, so in practice no need to reinstall anything.

stevenolen commented 6 months ago

But sensible people install packages into libraries that are specific for a certain (minor) R version, so in practice no need to reinstall anything.

Ah, yes. Definitely a standard expectation for us.

gaborcsardi commented 6 months ago

@glin OK, this should be better now. All the other NEWS files (NEWS, NEWS.pdf, NEWS.html) are re-generated at install time, so we don't patch those.

To check if your R version is patched, search for CVE-2024-27322' in the NEWS.

From the command line:

grep -C 5 CVE-2024-27322 /opt/R/4.0.0/lib/R/doc/NEWS
  CHANGES IN POSIT'S BUILD FROM <URL:
  https://github.com/rstudio/r-builds>:

    * readRDS() and unserialize() now signal an error instead of
      returning a PROMSXP, to fix CVE-2024-27322.

  SIGNIFICANT USER-VISIBLE CHANGES:

    * Packages need to be (re-)installed under this version (4.0.0) of
      R.

From R:

options(browser = "false")
news(grepl("CVE-2024-27322", Text))
                        Changes in version 4.0.0                        

CHANGES IN POSIT'S BUILD FROM <URL:

    o   readRDS() and unserialize() now signal an error instead of
        returning a PROMSXP, to fix CVE-2024-27322.

(I am not sure why the URL does not show up in R, probably an R bug.)

glin commented 6 months ago

@gaborcsardi Yeah it seems like an R bug. At least with 4.3.3, the URL shows up correctly:

> options(browser = "false")
> news(grepl("CVE-2024-27322", Text))

                        Changes in version 4.3.3                        

CHANGES IN POSIT'S BUILD FROM <https://github.com/rstudio/r-builds>

    o   readRDS() and unserialize() now signal an error instead of
    returning a PROMSXP, to fix CVE-2024-27322.