haven
haven copied to clipboard
tidyverse
Vulnerabilities identified by https://ossindex.sonatype.org
Because of security concerns, my employer asks me to run vulnerability assessment for each R package before using it. The current method we have for vulnerability assessment is using the R package oysterR. This package actually checks vulnerabilities in the OSS Index from https://ossindex.sonatype.org.
Here are the code I used to run the vulnerability assessment, and one vulnerability is identified for the package haven.
library(oysteR)
audit <- audit_installed_r_pkgs()
audit[audit$package=="haven", "vulnerabilities"][[1]]
In the returned data, the description of the vulnerability is: "1 non-CVE vulnerability found. To see more details, please create a free account at https://https://ossindex.sonatype.org/ and request for this information using your registered account"
And from the website, I found this link:
https://ossindex.sonatype.org/vulnerability/sonatype-2021-1261?component-type=cran&component-name=haven
where I found the following description:
Description [sonatype-2021-1261] CWE-122: Heap-based Buffer Overflow
r-haven - Heap-based Buffer Overflow
A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
Since the package haven is a dependence of many other packages, it would be great if the vulnerability could be cleaned up. I know it may not be a big issue, but the security team relies on the vulnerability report to approve R packages.
Thank you.
Hi @zhuoyu, thanks for the report!
@evanmiller this looks like a buffer overflow in ReadStat picked up OSS Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33991
