I hope this message finds you well. Following the recent announcement of a vulnerability related to the RDS exploit in R (https://hiddenlayer.com/research/r-bitrary-code-execution/). Recent discussions on social media have raised concerns about the credibility of the R language. Any code, including pure R code, can potentially be malicious if it is executed without proper scrutiny. It is worth noting that a similar problem was reported for the Python pickle a few years ago: https://hiddenlayer.com/research/weaponizing-machine-learning-models-with-ransomware/#Exploiting-Serialization.
In my opinion, not an exploit is a central problem, but if it is introduced in any CRAN package. I believe we must conduct a comprehensive review of all existing CRAN packages. Additionally, I will expect an introduction of an additional step in the R CMD check process. It is stated that R Team is aware of that, and the exploit is fixed in R 4.4.0, but I can not find any clear bullet point in the NEWS file for 4.4.0 (https://cran.r-project.org/doc/manuals/r-release/NEWS.html). I look forward to your thoughts and collaborating closely on this urgent review. KR Maciej Nasinski University of Warsaw ______________________________________________ R-package-devel@r-project.org mailing list https://stat.ethz.ch/mailman/listinfo/r-package-devel
