From nobody Thu May 02 04:10:50 2024 X-Original-To: dev-commits-ports-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4VVL8C1YBSz5JB6J; Thu, 2 May 2024 04:10:51 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4VVL8C15svz4BHW; Thu, 2 May 2024 04:10:51 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1714623051; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=LmfkpUKFuzM4iszgwE1p7WMAFS4Up55GhHBJg2T41VE=; b=j2YJsWC/DZyx/Vx/wCgho43PcwqzhaFqAVarqcKotvDAUVO7wm+ogCC99PoTIpCd3y0JBz MQmyOU8xlKE0CmuTOotcg3TXgzl1/ipzxjpaFdmSd/4tr3CXUA7hHnsseuqoeUJ0Na/FW/ 6GO+vaYVn2lDjC13sHPGL36mcYqnG6tFJV1mmtI8uihKz0/1vNYyiQQ5b5u2j1y1hv4mAQ KoEZ4O6pqaq59fUoiMSGuzQl7M8Du3daw/XlUFXSLZiAdIWhoE5R7B0vUBsbjk72qVI7in nPLQf18xhQYOh41qi1g7dwpbu7qKtV4f6L8Fz2TagzuDHxW4Y95WEL46cSedZw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1714623051; a=rsa-sha256; cv=none; b=ujblfSGooun45ofkbjdzN4Y/LrfYMUvwSomXUIJInAZ9XzpMHRMw+nHJ1oLTbJKAh3mwUQ C2QmPIZdj1mlsx0Fe+kwpg2MQMtPmu5YrsyOmZj2lTu2whxNcJw8jB20QGTq4AJUmxvc6v ZwxpoDJBMjdpxyRMDQzA+Bz5/Z3rL+zVcR2JZg2QwGjBVCa0RxEkm7ri6q1GxdQBZlm/61 BoBM4H5X9MMYOshxfXjHwCxqUhA3uugmlZZsMvSSwXOqsky0d/pmnCPX4/g+S1xj6KB3e0 SdwxDPXzCsK76spgJ6DD0QMX4cebA/SCdnb3Ujy+L7K1YsU3q+BQJ6ovA35fHg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1714623051; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=LmfkpUKFuzM4iszgwE1p7WMAFS4Up55GhHBJg2T41VE=; b=j9OIKcrzh28LSxptHZYg6qpnYPAm1hH0LalyKEvTyeSt884KDviE/DNrCIwSp6shGYiAkp 6gxQTLfbGQhOhtqXYmb7LUi/NnhUcw2PP9TBnUGH/cl8fzqGlLuJvgtyc0lGJl8Or5epqa Dic30U97HjaEWU+3vA5nnKH7SJD9W2VpRBofCj7dANNk1DrziRUak2UOiH3THnjLjkc58T /a67tVOQo88xf7ikJFjELozldIrv9vFhzo013xPwDkpYuAnIc0+u/LJd8HZHw3TooohQe8 tC6yzUUlVICDD0Y1Z9sYmSLee0uULHnKS9lgU5SgKueaqcrc8lwd29tixpyIPw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4VVL8C0jgkzn6H; Thu, 2 May 2024 04:10:51 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 4424AovX041920; Thu, 2 May 2024 04:10:50 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 4424Ao6D041917; Thu, 2 May 2024 04:10:50 GMT (envelope-from git) Date: Thu, 2 May 2024 04:10:50 GMT Message-Id: <202405020410.4424Ao6D041917@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: Joseph Mingrone Subject: git: f237383c608b - main - security/vuxml: Document ACE vulnerability in math/R List-Id: Commit messages for all branches of the ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-ports-all@freebsd.org Sender: owner-dev-commits-ports-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: jrm X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: f237383c608b753264c0a56de5e94b399c0a9b31 Auto-Submitted: auto-generated The branch main has been updated by jrm: URL: https://cgit.FreeBSD.org/ports/commit/?id=f237383c608b753264c0a56de5e94b399c0a9b31 commit f237383c608b753264c0a56de5e94b399c0a9b31 Author: Joseph Mingrone AuthorDate: 2024-05-02 03:59:11 +0000 Commit: Joseph Mingrone CommitDate: 2024-05-02 04:06:54 +0000 security/vuxml: Document ACE vulnerability in math/R In versions released before 4.4.0, the R statistical program is vulnerable to CVE-2024-27322, which allows maliciously crafted RDS (R Data Serialization) files or R packages to run arbitrary code. Sponsored by: The FreeBSD Foundation --- security/vuxml/vuln/2024.xml | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/security/vuxml/vuln/2024.xml b/security/vuxml/vuln/2024.xml index 5db3845477dc..fd2a574679c5 100644 --- a/security/vuxml/vuln/2024.xml +++ b/security/vuxml/vuln/2024.xml @@ -1,3 +1,29 @@ + + R -- arbitrary code execution vulnerability + + + R + 4.4.0 + + + + +

HiddenLayer Research reports:

+
+

Deserialization of untrusted data can occur in the R statistical programming language, enabling a maliciously crafted RDS (R Data Serialization) formatted file or R package to run arbitrary code on an end user's system.

+
+ + + + CVE-2024-27322 + https://nvd.nist.gov/vuln/detail/CVE-2024-27322 + + + 2024-04-29 + 2024-05-02 + + + hcode -- buffer overflow in mail.c