On 30 April 2018 at 23:18, Moritz Muehlenhoff wrote: | Source: r-base | Severity: grave | Tags: security | | Please see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9060 | | I'm not sure whether this has been properly reported to the upstream | developers. The timeline of the Github link above mentions | | 03-27-18: Emailed author, no response | 04-03-18: Emailed author, no response | 04-10-18: Emailed author, no response | 04-23-18: New version released; Submitted public disclosure | | but it's not obvious who they contacted.
I will follow-up but we can close this. Look eg at https://github.com/bzyo/CVE-PoCs/tree/master/CVE-2018-9060 which is one of the links in the URL above. The issue affects only the Windows GUI for a R which is a one-off piece of code (in the sources, mind you) which we do NOT build for Debian ever. Ie when he writes # Vulnerability R 3.4.4 suffers from a local buffer overflow that allows code execution # Exploit 1. run script and generate r344.txt, copy contents to clipboard 2. open app, select Edit, select 'GUI preferences' 3. paste r344.txt contents into 'Language for menus and messages' 4. select OK 5. pop calc 'clipboard' is a give-away, as is 'GUI preferences'. There is no GUI in R on Linux (there used to be a Gnome1/Gtk one a loooong time ago). 'pop calc' becomes clear with the image on that GH page -- the Windows calculator pops up. This really is no concern for us, and I think we can close this. Dirk | | Cheers, | Moritz | -- http://dirk.eddelbuettel.com | @eddelbuettel | e...@debian.org
