R: Arbitrary Code Execution — GLSA 202412-01

A vulnerability has been discovered in R, which can lead to arbitrary code execution.

Affected packages

dev-lang/R on all architectures
Affected versions < 4.4.1
Unaffected versions >= 4.4.1

Background

R is a language and environment for statistical computing and graphics.

Description

Deserialization of untrusted data can occur in the R statistical programming language, enabling a maliciously crafted RDS (R Data Serialization) formatted file or R package to run arbitrary code on an end user’s system when interacted with.

Impact

Arbitrary code may be run when deserializing untrusted data.

Workaround

There is no known workaround at this time.

Resolution

All R users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=dev-lang/R-4.4.1"
 

References

Release date
December 07, 2024

Latest revision
December 07, 2024: 1

Severity
high

Exploitable
local

Bugzilla entries