Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Patch read_rds for CVE-2024-27322 #1541

Closed
Moohan opened this issue May 14, 2024 · 1 comment
Closed

Patch read_rds for CVE-2024-27322 #1541

Moohan opened this issue May 14, 2024 · 1 comment

Comments

@Moohan
Copy link

Moohan commented May 14, 2024

I wonder if it would be possible for readr to somehow patch read_rds to mitigate the exploit CVE-2024-27322 - This is patched in R 4.4.0 so the obvious fix is to use that but our organisation (and I'm sure there are others who are similar) is slow moving and might take a while to roll out the new version of R for us to use. At the same time users are able to install packages / package updates, so (if it's possible) patching read_rds would be a great way to mitigate this exploit for many users.
@hadley
Copy link
Member

hadley commented May 14, 2024

I don't think there's any way to patch this outside of R itself because the internal implementation for readRDS uses a bunch of internal APIs that are not accessible from a package. We (Posit) are exploring making patched versions of R itself, which you can track in rstudio/r-builds#218.

@hadley hadley closed this as completed May 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hadley @Moohan