Skip to content

Commit c89dbfa

Browse files
CBL-Mariner-BotRedent0r
CBL-Mariner-Bot
and
Redent0r
authored
[AUTO-CHERRYPICK] R: patch CVE-2024-27322 - branch main (#9486)
Co-authored-by: Saul Paredes <30801614+Redent0r@users.noreply.github.com>
1 parent c7a0e96 commit c89dbfa

2 files changed

Lines changed: 54 additions & 1 deletion

File tree

SPECS/R/CVE-2024-27322.patch

Lines changed: 49 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,49 @@
1+
From f7c46500f455eb4edfc3656c3fa20af61b16abb7 Mon Sep 17 00:00:00 2001
2+
From: luke <luke@00db46b3-68df-0310-9c12-caf00c1e9a41>
3+
Date: Sun, 31 Mar 2024 19:35:58 +0000
4+
Subject: [PATCH] readRDS() and unserialize() now signal an errorr instead of
5+
returning a PROMSXP.
6+
7+
git-svn-id: https://svn.r-project.org/R/trunk@86235 00db46b3-68df-0310-9c12-caf00c1e9a41
8+
---
9+
src/main/serialize.c | 13 ++++++++++---
10+
1 file changed, 10 insertions(+), 3 deletions(-)
11+
12+
diff --git a/src/main/serialize.c b/src/main/serialize.c
13+
index a389f713116..a190fbf8f3c 100644
14+
--- a/src/main/serialize.c
15+
+++ b/src/main/serialize.c
16+
@@ -2650,6 +2650,13 @@ do_serializeToConn(SEXP call, SEXP op, SEXP args, SEXP env)
17+
return R_NilValue;
18+
}
19+
20+
+static SEXP checkNotPromise(SEXP val)
21+
+{
22+
+ if (TYPEOF(val) == PROMSXP)
23+
+ error(_("cannot return a promise (PROMSXP) object"));
24+
+ return val;
25+
+}
26+
+
27+
/* unserializeFromConn(conn, hook) used from readRDS().
28+
It became public in R 2.13.0, and that version added support for
29+
connections internally */
30+
@@ -2699,7 +2706,7 @@ do_unserializeFromConn(SEXP call, SEXP op, SEXP args, SEXP env)
31+
con->close(con);
32+
UNPROTECT(1);
33+
}
34+
- return ans;
35+
+ return checkNotPromise(ans);
36+
}
37+
38+
/*
39+
@@ -3330,8 +3337,8 @@ attribute_hidden SEXP
40+
do_serialize(SEXP call, SEXP op, SEXP args, SEXP env)
41+
{
42+
checkArity(op, args);
43+
- if (PRIMVAL(op) == 2) return R_unserialize(CAR(args), CADR(args));
44+
-
45+
+ if (PRIMVAL(op) == 2) //return R_unserialize(CAR(args), CADR(args));
46+
+ return checkNotPromise(R_unserialize(CAR(args), CADR(args)));
47+
SEXP object, icon, type, ver, fun;
48+
object = CAR(args); args = CDR(args);
49+
icon = CAR(args); args = CDR(args);

SPECS/R/R.spec

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22
Summary: A language for data analysis and graphics
33
Name: R
44
Version: 4.1.0
5-
Release: 4%{?dist}
5+
Release: 5%{?dist}
66
License: GPLv2
77
Vendor: Microsoft Corporation
88
Distribution: Mariner
@@ -13,6 +13,7 @@ Source0: https://cran.r-project.org/src/base/R-4/R-%{version}.tar.gz
1313
# in 2018. Given curl 8.0.0 is not an actual breaking change, this patch should be fine.
1414
# We should drop this when R eventually gets official support for build with curl >= 8.0.0
1515
Patch0: 0001-configure-fix-compilation-with-curl-8.0.0.patch
16+
Patch1: CVE-2024-27322.patch
1617
BuildRequires: build-essential
1718
BuildRequires: bzip2-devel
1819
BuildRequires: curl-devel
@@ -121,6 +122,9 @@ TZ="Europe/Paris" make check -k -i
121122
%endif
122123

123124
%changelog
125+
* Wed Jun 19 2024 Saul Paredes <saulparedes@microsoft.com> - 4.1.0-5
126+
- Patch CVE-2024-27322
127+
124128
* Wed Sep 20 2023 Jon Slobodzian <joslobo@microsoft.com> - 4.1.0-4
125129
- Recompile with stack-protection fixed gcc version (CVE-2023-4039)
126130

0 commit comments

Comments
 (0)