Patching older versions of R for CVE-2024-27322

[dithwick]

Hi,

I know 4.4.0 is already patched for CVE-2024-27322 (https://nvd.nist.gov/vuln/detail/CVE-2024-27322) but are there any plans to backport the patch to older versions of R in your binary builds? There's advice on how to generate the patch at https://stat.ethz.ch/pipermail/r-devel/2024-April/083396.html

Many thanks!

[dithwick]

I've just noticed you have #219, thanks for this!

[glin]

Patched builds are now available for R 4.0.0 to 4.3.3 (#219). You can reinstall R from the same download URLs as before to receive the patch.

To check if your R version is patched, search for CVE-2024-27322 in the R NEWS.

From the command line:

$ grep -C 5 CVE-2024-27322 $(R RHOME)/doc/NEWS

CHANGES IN R 4.3.3:

  CHANGES IN POSIT'S BUILD FROM <https://github.com/rstudio/r-builds>:

    * readRDS() and unserialize() now signal an error instead of
      returning a PROMSXP, to fix CVE-2024-27322.

  NEW FEATURES:

    * iconv() now fixes up variant encoding names such as "utf8"
      case-insensitively.

From R:

> options(browser = "false")
> news(grepl("CVE-2024-27322", Text))

                        Changes in version 4.3.3                        

CHANGES IN POSIT'S BUILD FROM <https://github.com/rstudio/r-builds>

    o   readRDS() and unserialize() now signal an error instead of
	returning a PROMSXP, to fix CVE-2024-27322.