1. Forum
  2. Usenet
  3. LINUX.GENTOO.ANNOUNCE

  • [gentoo-announce] [ GLSA 202401-07 ] R: Directory Traversal

    From [email protected]@21:1/5 to All on Sat Jan 6 10:10:01 2024
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Gentoo Linux Security Advisory GLSA 202401-07
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    https://security.gentoo.org/
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Severity: Normal
    Title: R: Directory Traversal
    Date: January 06, 2024
    Bugs: #765361
    ID: 202401-07

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Synopsis
    ========

    A vulnerability was found in R which could allow for remote code
    execution.

    Background
    ==========

    R is a language and environment for statistical computing and graphics.

    Affected packages
    =================

    Package Vulnerable Unaffected
    ---------- ------------ ------------
    dev-lang/R < 4.0.4 >= 4.0.4

    Description
    ===========

    The native R package installation mechanisms do not sufficiently
    validate installed source packages for path traversal.

    Impact
    ======

    Installation of a malicious R package could result in an arbitrary file overwrite which could result in arbitrary code execution, as might be
    seen with the overwrite of an authorized_keys file.

    Workaround
    ==========

    There is no known workaround at this time.

    Resolution
    ==========

    All R users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=dev-lang/R-4.0.4"

    References
    ==========

    [ 1 ] CVE-2020-27637
    https://nvd.nist.gov/vuln/detail/CVE-2020-27637
    [ 2 ] -fno-common
    [ 3 ] gcc-10

    Availability
    ============

    This GLSA and any updates to it are available for viewing at
    the Gentoo Security Website:

    https://security.gentoo.org/glsa/202401-07

    Concerns?
    =========

    Security is a primary focus of Gentoo Linux and ensuring the
    confidentiality and security of our users' machines is of utmost
    importance to us. Any security concerns should be addressed to [email protected] or alternatively, you may file a bug at https://bugs.gentoo.org.

    License
    =======

    Copyright 2024 Gentoo Foundation, Inc; referenced text
    belongs to its owner(s).

    The contents of this document are licensed under the
    Creative Commons - Attribution / Share Alike license.

    https://creativecommons.org/licenses/by-sa/2.5
    -----BEGIN PGP SIGNATURE-----

    iQIzBAEBCgAdFiEEpqTA6ABLMxh/aChGFMQkOaVy+9kFAmWZF6QACgkQFMQkOaVy +9l4kQ//T9bvH71dgHf6v60ADdG5Y4yBGMCCOpVu8pW07twLZx6rJwYCAtI0qewM hGKqce0dd+yrScs2M3qBDOdnUyX4VYAec/gq6o3A2Cu+zNuXqLJgD0uQCUfTPHku Y8sz4QDQhk7wip+Gc4zvlgofFgg4O8KoTWhmZqvafmTemwmToTwNizYYrTEDeNXF 472HU5vh4T3LbSl2grrbTc7OcfqF4eIOx9gQ6hi4DW4u4u2+PNhfLDncxm3yEnUB heNBFH84ZSvDpuHP+n9WtelYUNKnLJjKilRa7EOb+0tTZFaIRot7Oxr3TbGeHa0B t94D3f/s71YlVb2yNpp4qefYcstiU3QiEa1EA5jMeN5ZZMEgZLpALg+3dsjN28g5 pKSTVDDyDHmfiXqauSWzDIYZGedCTC0AjXgsdnbc3kKUzymDPWw90a0fMn0EZ+Gw EAXlLPSoqyBVuSA3Y5UYuY2sQRBe6EzZh6VhBH+EfHkJDdXVr0fMpkvHheEVTfxG AIGPe3YTOthgqL2O0dv+UUccxsmaG7bfxaCprNAkO5Uru2fUjtUX8TVNm8o2SRkK 70pAkgZxP7No5rjiVmZ89P3xc5qDHfrqyxn2N8ESLnRKbYCpvRLIqgaVuCWeS7Dt YM1VGO5XvozlaBvCuEevW/hgx3e6hySWKNy0+C8Ek+g10FWlLcc=
    =uiyC
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)