Hi Dirk On Wed, Feb 10, 2021 at 12:18:04PM -0600, Dirk Eddelbuettel wrote: > As for your suggested patch to R's own dynload.c: that is very well tested > and robust system code I do not have any real intention of changing because > one package out of 17k at CRAN is having hickups under one (maybe suboptimal) > Debian config.
I really doubt that. Because the code as it is right now can't be used in any sensible way without an absolute path. To load anything from /usr/lib*, which is the primary use of dlopen, you need to hardcode the path. The documentation does not even mention any such specific differences to how the system loader works on non-Windows.[1] So I doubt this us used often or at all. Also this is the same problem as CVE-2016-1238, see DSA-3628[2]. I can provide a CVE id for R. Regards, Bastian [1]: https://www.rdocumentation.org/packages/base/versions/3.6.2/topics/dyn.load [2]: https://www.debian.org/security/2016/dsa-3628 -- There is a multi-legged creature crawling on your shoulder. -- Spock, "A Taste of Armageddon", stardate 3193.9
