[R] Regarding the Security Vulnerability CVE 2024 - 27322

Ivan Krylov |kry|ov @end|ng |rom d|@root@org
Thu Jun 27 16:58:07 CEST 2024


В Thu, 27 Jun 2024 11:08:53 +0000
"Priya, Aishwarya" <Aishwarya.Priya using dell.com> пишет:

> Is there a way to patch or upgrade the existing installation to
> version 4.4.0, rather than having to uninstall the older version and
> then install the latest one?

I don't think that there is a supported way to do that. The main
problem is the library, the place where the user-installed packages are
stored. While it's not impossible to take a library from R-4.2,
transplant it to R-4.4, and selectively upgrade only the packages that
need to be reinstalled, it takes manual effort and a lot of care, so
libraries in general are considered to be incompatible between major or
minor R versions [1]. (They should stay compatible between patch
versions.)

Do I understand it correctly that you're only interested in the Windows
builds of R?

If you need the upgrade to change as little as possible, you can try to
take the source code for the R version you would like to fix, apply a
single patch [2] on top of it, compile R using the corresponding
version of Rtools [3] and replace R.dll with the updated version. The
version of R will remain old, but the installation will be formally
immune to CVE 2024-27322. It should work, but there is no written
document promising that it will work.

[1]
https://cran.r-project.org/bin/windows/base/rw-FAQ.html#What_0027s-the-best-way-to-upgrade_003f

[2]
https://stat.ethz.ch/pipermail/r-devel/2024-April/083393.html

[3]
https://cran.r-project.org/bin/windows/base/howto-R-devel.html

-- 
Best regards,
Ivan



More information about the R-help mailing list