Name | CVE-2024-27322 |
Description | Deserialization of untrusted data can occur in the R statistical programming language, on any version starting at 1.4.0 up to and not including 4.4.0, enabling a maliciously crafted RDS (R Data Serialization) formatted file or R package to run arbitrary code on an end user’s system when interacted with. |
Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
Debian Bugs | 1073061 |
The table below lists information on source packages.
Source Package | Release | Version | Status |
---|---|---|---|
r-base (PTS) | jessie, jessie (lts) | 3.1.1-1+deb8u1 | vulnerable |
stretch | 3.3.3-1 | vulnerable | |
buster | 3.5.2-1 | vulnerable | |
bullseye | 4.0.4-1 | vulnerable | |
bookworm | 4.2.2.20221110-2 | vulnerable | |
sid, trixie | 4.4.2-1 | fixed |
The information below is based on the following data on fixed versions.
Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
---|---|---|---|---|---|---|
r-base | source | (unstable) | 4.4.0-2 | unimportant | 1073061 |
https://hiddenlayer.com/research/r-bitrary-code-execution/
https://kb.cert.org/vuls/id/238194
https://src.fedoraproject.org/rpms/R/blob/f39/f/R-CVE-2024-27322.patch
https://github.com/r-devel/r-svn/commit/f7c46500f455eb4edfc3656c3fa20af61b16abb7
https://blog.r-project.org/2024/05/10/statement-on-cve-2024-27322/index.html
Not considered a security issue by R Core (upstream) and the R Foundation.