rio CVE-2024-27322 and this package

CVE-2024-27322 and this package

Open chainsawriot opened this issue 2 months ago • 15 comments

CVE-2024-27322 is partially fixed in R 4.4.0. But the attack surface is still there. First, this package supports R > 3.6 therefore the partial fix in 4.4.0 is not applied in many supported versions. Second, even with 4.4.0 deserialization of .Rdata and .RDS in some cases can still invoke arbitrary code execution. See this message by gws.

We can't be too nanny but should we rethink the "any R object" policy of .Rdata

https://github.com/gesistsa/rio/blob/c529994b479f2014e64d9dc4d4c21f4032c48ca1/R/import.R#L31

.RDS

https://github.com/gesistsa/rio/blob/c529994b479f2014e64d9dc4d4c21f4032c48ca1/R/import.R#L32

and qs

https://github.com/gesistsa/rio/blob/c529994b479f2014e64d9dc4d4c21f4032c48ca1/R/import.R#L33-L35

There are several options:

Warn about non data frame object
Completely forbid non data frame object
Only forbid Promise
Just warn in the doc
Don't be nanny

May 01 '24 10:05 chainsawriot

rio rio copied to clipboard

CVE-2024-27322 and this package

rio
rio copied to clipboard