On Fri, 3 May 2024, Ivan Krylov via R-package-devel wrote:
Dear Maciej Nasinski,
On Fri, 3 May 2024 11:37:57 +0200
Maciej Nasinski wrote:
I believe we must conduct a comprehensive review of all existing CRAN
packages.
Why now? R packages are already code. You don't need poisoned RDS
Yes, this may have hit the news as a problem but any code anywhere can be a
security issue.
If you want to read lots of R code and also the code for add-ins from libraries
and compile everything from scratch with a trusted set of tools, and refuse to
open any of the files being discussed and
I agree with Ivan here. And more generally, R is a fully featured
programming language. You don't need just this one "exploit" (though, it
really does feel like a feature to some degree lol!) to be a bad guy with
R.
You can link to a pre-compiled binary (like my team makes for an R package
that
On Fri, 3 May 2024 18:17:52 +0200
Maciej Nasinski wrote:
> I found the https://github.com/hrbrmstr/rdaradar solution and ran it
> on the 100 most downloaded R packages.
> Happily, all data/inst rda files are safe/non-exposed to RDS exploit
> (using the linked solution).
This is a bit useful -
Most functions in R have a prefix on their name, with aliases defined so
you can use the function without the prefix. But you can turn off the
aliasing, in which case you need the true name. I think for all of the
functions you list the prefix is "Rf_", so they are "Rf_error", etc.
Perhaps
Hi,
I have an R library with C code in it. It has failed the CRAN checks for
Debian. The problem is with the error function being undefined. Section 6.2 of
the Writing R extensions (see below) suggests error handling can be handled by
error and the appropriate header file is included in R.h,
Hey All,
Once more, Ivan, thank you for your great blog post.
I found the https://github.com/hrbrmstr/rdaradar solution and ran it on the
100 most downloaded R packages.
Happily, all data/inst rda files are safe/non-exposed to RDS exploit (using
the linked solution).
Please access my fork for the
Dear Ivan,
Your blog post is fantastic and I already start to promote it on LinkedIn with
full credit to you.
KR
Maciej Nasinski
University of Warsaw
> On 3 May 2024, at 12:04, Maciej Nasinski wrote:
>
> Dear Ivan,
>
> Thank you for such a quick response.
> “It may be worth teaching people
Dear Ivan,
Thank you for such a quick response.
“It may be worth teaching people that, in general, R data files should be
as trusted as R code.” I totally agree and that why I wrote that any code can
be dangerous if run without proper scrutiny.
A few linkedin post generated most probably by
Dear Maciej Nasinski,
On Fri, 3 May 2024 11:37:57 +0200
Maciej Nasinski wrote:
> I believe we must conduct a comprehensive review of all existing CRAN
> packages.
Why now? R packages are already code. You don't need poisoned RDS files
to wreak havoc using an R package.
On the other hand, R
I hope this message finds you well.
Following the recent announcement of a vulnerability related to the
RDS exploit in R
(https://hiddenlayer.com/research/r-bitrary-code-execution/).
Recent discussions on social media have raised concerns about the
credibility of the R language. Any code,
11 matches
Mail list logo
