In the main programming language implementation Roriented towards solving problems of statistical processing, analysis and visualization of data, identified critical vulnerability (CVE-2024-27322), leading to code execution when deserializing unvalidated data. The vulnerability can be exploited when processing specially designed files in the RDS (R Data Serialization) and RDX formats.
The vulnerability is due to an error in the readRDS function, which is used to load files in the RDS and RDX formats, which allow serialized R objects to be transferred for processing on another system. Serialization makes it possible to capture state and exchange sets of data between programs. The RDS format allows you to store state about one object, and the RDX format in combination with RDB files makes it possible to transfer information about several objects. The problem is that the RDS format supports PROMSXP object code associated with the Promise type, which is used to define expressions that are called asynchronously when their associated values are used.
Advertisement
During deserialization, three parts are used to define a Promise object – the Promise value, the expression, and the environment. If the Promise type does not have a pre-computed value, it is calculated during deserialization by executing the expression using the “eval” function. In this way, an attacker could cause arbitrary R code to be executed by substituting it for an expression associated with uncomputed values in RDS or RDX files.
Issue fixed in release R 4.4.0. You can track the release of package updates in distributions on the pages Debian, Ubuntu, RHEL, SUSE/openSUSE, Fedora, Arch, FreeBSD.
Thanks for reading: