Package: r-base Version: 3.5.2-1 Severity: important Tags: security upstream X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>
I create this bug in order to track the fix of this CVE in pre-trixie Debian releases. I mark it as found in buster release, but it is also present in older releases. I will mark it as fixed in 4.4.0-2 (currently sid and trixie). According to the CVE description: Deserialization of untrusted data can occur in the R statistical programming language, on any version starting at 1.4.0 up to and not including 4.4.0, enabling a maliciously crafted RDS (R Data Serialization) formatted file or R package to run arbitrary code on an end user’s system when interacted with. If possible, this bug should be fixed, at least in Debian stable (and possibly oldstable). The reason is that, due to local code or library incompatibility, it is not always easy/feasible to upgrade r-base without involving lots of work. And R is used by lots of people that do not necessarily have enough skills to fix codes when upgrading r-base and finding problems. Following CVE links, I found this patch: https://src.fedoraproject.org/rpms/R/blob/f39/f/R-CVE-2024-27322.patch It seems simple enought to have the hope that it can be applied to previous r-base version (but I did not check it). Regards, Vincent -- System Information: Debian Release: trixie/sid APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'oldstable-updates'), (500, 'oldstable-security'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (500, 'oldstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386, armel Kernel: Linux 6.8.9-amd64 (SMP w/4 CPU threads; PREEMPT) Kernel taint flags: TAINT_OOT_MODULE Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) Versions of packages r-base depends on: ii r-base-core 4.4.0-2 ii r-recommended 4.4.0-2 Versions of packages r-base recommends: ii r-base-html 4.4.0-2 ii r-doc-html 4.4.0-2 Versions of packages r-base suggests: ii elpa-ess 24.01.1-1 pn r-doc-info | r-doc-pdf <none> -- no debconf information
