Rebuild supported versions for CVE-2024-27322

r-hub · May 24, 2024 · 57ef107 · 57ef107
1 parent 7d1ea2b
commit 57ef107
Show file tree

Hide file tree

Showing 20 changed files with 1,177 additions and 7 deletions.
diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml
@@ -17,12 +17,12 @@ jobs:
         config:
 #        - { r: 'devel' }
 #        - { r: 'next'  }
-        - { r: '4.4.0' }
-#        - { r: '4.3.3' }
-#        - { r: '4.2.3' }
-#        - { r: '4.1.3' }
-#        - { r: '4.0.5' }
-#        - { r: '3.6.3' }
+#        - { r: '4.4.0' }
+        - { r: '4.3.3' }
+        - { r: '4.2.3' }
+        - { r: '4.1.3' }
+        - { r: '4.0.5' }
+        - { r: '3.6.3' }
 
     steps:
     - name: Checkout

diff --git a/Dockerfile b/Dockerfile
@@ -14,7 +14,7 @@ ARG R_VERSION=4.4.0
 WORKDIR /root
 
 RUN apk add --no-cache gcc musl-dev gfortran g++ zlib-dev bzip2-dev xz-dev pcre-dev \
-    pcre2-dev curl-dev make perl readline-dev
+    pcre2-dev curl-dev make perl readline-dev patch
 
 RUN if [[ "$R_VERSION" == "devel" ]]; then                                   \
         wget https://cran.r-project.org/src/base-prerelease/R-devel.tar.gz;  \
@@ -48,6 +48,13 @@ RUN if [[ "${R_VERSION}" != "next" ]] && [[ "${R_VERSION}" != "devel" ]] \
       perl -i -0pe 's/#if LIBCURL_VERSION_MAJOR > 7\n  exit[(]1[)]/#if LIBCURL_VERSION_MAJOR > 7\n  exit(0)/gms' configure; \
     fi
 
+COPY patches patches
+RUN cd R-${R_VERSION} && ls -l .. && if [ -f "../patches/R-${R_VERSION}.patch" ]; then \
+      echo Patching R;                                                     \
+      patch -p1 < "../patches/R-${R_VERSION}.patch";                       \
+    fi
+
+
 RUN cd R-${R_VERSION} &&                                                 \
     . FLAGS &&                                                           \
     CXXFLAGS=-D__MUSL__  ./configure                                     \
@@ -63,8 +70,10 @@ RUN strip -x /usr/local/lib/R/lib/*
 RUN find /usr/local/lib/R -name "*.so" -exec strip -x \{\} \;
 
 RUN rm -rf /usr/local/lib/R/library/translations
+RUN cp /usr/local/lib/R/doc/NEWS.rds /tmp
 RUN rm -rf /usr/local/lib/R/doc
 RUN mkdir -p /usr/local/lib/R/doc/html
+RUN cp /tmp/NEWS.rds /usr/local/lib/R/doc/
 RUN find /usr/local/lib/R/library -name help | xargs rm -rf
 
 RUN find /usr/local/lib/R/share/zoneinfo/America/ -mindepth 1 -maxdepth 1 \

diff --git a/patches/R-4.0.0.patch b/patches/R-4.0.0.patch
@@ -0,0 +1,64 @@
+commit c06f7f2518673a75f9b36f2af9caf7b69ab4952e
+Author: luke <luke@00db46b3-68df-0310-9c12-caf00c1e9a41>
+Date:   Sun Mar 31 19:35:58 2024 +0000
+
+    readRDS() and unserialize() now signal an errorr instead of returning a PROMSXP.
+
+
+    git-svn-id: https://svn.r-project.org/R/trunk@86235 00db46b3-68df-0310-9c12-caf00c1e9a41
+
+diff --git a/src/main/serialize.c b/src/main/serialize.c
+index a389f71311..a190fbf8f3 100644
+--- a/src/main/serialize.c
++++ b/src/main/serialize.c
+@@ -2650,6 +2650,13 @@ do_serializeToConn(SEXP call, SEXP op, SEXP args, SEXP env)
+     return R_NilValue;
+ }
+
++static SEXP checkNotPromise(SEXP val)
++{
++    if (TYPEOF(val) == PROMSXP)
++	error(_("cannot return a promise (PROMSXP) object"));
++    return val;
++}
++
+ /* unserializeFromConn(conn, hook) used from readRDS().
+    It became public in R 2.13.0, and that version added support for
+    connections internally */
+@@ -2699,7 +2706,7 @@ do_unserializeFromConn(SEXP call, SEXP op, SEXP args, SEXP env)
+ 	con->close(con);
+ 	UNPROTECT(1);
+     }
+-    return ans;
++    return checkNotPromise(ans);
+ }
+
+ /*
+@@ -3330,8 +3337,8 @@ attribute_hidden SEXP
+ do_serialize(SEXP call, SEXP op, SEXP args, SEXP env)
+ {
+     checkArity(op, args);
+-    if (PRIMVAL(op) == 2) return R_unserialize(CAR(args), CADR(args));
+-
++    if (PRIMVAL(op) == 2) //return R_unserialize(CAR(args), CADR(args));
++	return checkNotPromise(R_unserialize(CAR(args), CADR(args)));
+     SEXP object, icon, type, ver, fun;
+     object = CAR(args); args = CDR(args);
+     icon = CAR(args); args = CDR(args);
+diff --git a/doc/NEWS.Rd b/doc/NEWS.Rd
+index 094396b..75fae89 100644
+--- a/doc/NEWS.Rd
++++ b/doc/NEWS.Rd
+@@ -6,6 +6,12 @@
+ \encoding{UTF-8}
+
+ \section{\Rlogo CHANGES IN 4.0.0}{
++  \subsection{CHANGES IN R-MINIMAL FROM \url{https://github.com/r-hub/r-minimal}}{
++    \itemize{
++      \item readRDS() and unserialize() now signal an error instead of
++      returning a PROMSXP, to fix CVE-2024-27322.
++    }
++  }
+
+   \subsection{SIGNIFICANT USER-VISIBLE CHANGES}{
+     \itemize{
diff --git a/patches/R-4.0.1.patch b/patches/R-4.0.1.patch
@@ -0,0 +1,64 @@
+commit c06f7f2518673a75f9b36f2af9caf7b69ab4952e
+Author: luke <luke@00db46b3-68df-0310-9c12-caf00c1e9a41>
+Date:   Sun Mar 31 19:35:58 2024 +0000
+
+    readRDS() and unserialize() now signal an errorr instead of returning a PROMSXP.
+
+
+    git-svn-id: https://svn.r-project.org/R/trunk@86235 00db46b3-68df-0310-9c12-caf00c1e9a41
+
+diff --git a/src/main/serialize.c b/src/main/serialize.c
+index a389f71311..a190fbf8f3 100644
+--- a/src/main/serialize.c
++++ b/src/main/serialize.c
+@@ -2650,6 +2650,13 @@ do_serializeToConn(SEXP call, SEXP op, SEXP args, SEXP env)
+     return R_NilValue;
+ }
+
++static SEXP checkNotPromise(SEXP val)
++{
++    if (TYPEOF(val) == PROMSXP)
++	error(_("cannot return a promise (PROMSXP) object"));
++    return val;
++}
++
+ /* unserializeFromConn(conn, hook) used from readRDS().
+    It became public in R 2.13.0, and that version added support for
+    connections internally */
+@@ -2699,7 +2706,7 @@ do_unserializeFromConn(SEXP call, SEXP op, SEXP args, SEXP env)
+ 	con->close(con);
+ 	UNPROTECT(1);
+     }
+-    return ans;
++    return checkNotPromise(ans);
+ }
+
+ /*
+@@ -3330,8 +3337,8 @@ attribute_hidden SEXP
+ do_serialize(SEXP call, SEXP op, SEXP args, SEXP env)
+ {
+     checkArity(op, args);
+-    if (PRIMVAL(op) == 2) return R_unserialize(CAR(args), CADR(args));
+-
++    if (PRIMVAL(op) == 2) //return R_unserialize(CAR(args), CADR(args));
++	return checkNotPromise(R_unserialize(CAR(args), CADR(args)));
+     SEXP object, icon, type, ver, fun;
+     object = CAR(args); args = CDR(args);
+     icon = CAR(args); args = CDR(args);
+diff --git a/doc/NEWS.Rd b/doc/NEWS.Rd
+index 9417774..5a7fa23 100644
+--- a/doc/NEWS.Rd
++++ b/doc/NEWS.Rd
+@@ -6,6 +6,12 @@
+ \encoding{UTF-8}
+
+ \section{\Rlogo CHANGES IN R 4.0.1}{
++  \subsection{CHANGES IN R-MINIMAL FROM \url{https://github.com/r-hub/r-minimal}}{
++    \itemize{
++      \item readRDS() and unserialize() now signal an error instead of
++      returning a PROMSXP, to fix CVE-2024-27322.
++    }
++  }
+
+   \subsection{NEW FEATURES}{
+     \itemize{
diff --git a/patches/R-4.0.2.patch b/patches/R-4.0.2.patch
@@ -0,0 +1,64 @@
+commit c06f7f2518673a75f9b36f2af9caf7b69ab4952e
+Author: luke <luke@00db46b3-68df-0310-9c12-caf00c1e9a41>
+Date:   Sun Mar 31 19:35:58 2024 +0000
+
+    readRDS() and unserialize() now signal an errorr instead of returning a PROMSXP.
+
+
+    git-svn-id: https://svn.r-project.org/R/trunk@86235 00db46b3-68df-0310-9c12-caf00c1e9a41
+
+diff --git a/src/main/serialize.c b/src/main/serialize.c
+index a389f71311..a190fbf8f3 100644
+--- a/src/main/serialize.c
++++ b/src/main/serialize.c
+@@ -2650,6 +2650,13 @@ do_serializeToConn(SEXP call, SEXP op, SEXP args, SEXP env)
+     return R_NilValue;
+ }
+
++static SEXP checkNotPromise(SEXP val)
++{
++    if (TYPEOF(val) == PROMSXP)
++	error(_("cannot return a promise (PROMSXP) object"));
++    return val;
++}
++
+ /* unserializeFromConn(conn, hook) used from readRDS().
+    It became public in R 2.13.0, and that version added support for
+    connections internally */
+@@ -2699,7 +2706,7 @@ do_unserializeFromConn(SEXP call, SEXP op, SEXP args, SEXP env)
+ 	con->close(con);
+ 	UNPROTECT(1);
+     }
+-    return ans;
++    return checkNotPromise(ans);
+ }
+
+ /*
+@@ -3330,8 +3337,8 @@ attribute_hidden SEXP
+ do_serialize(SEXP call, SEXP op, SEXP args, SEXP env)
+ {
+     checkArity(op, args);
+-    if (PRIMVAL(op) == 2) return R_unserialize(CAR(args), CADR(args));
+-
++    if (PRIMVAL(op) == 2) //return R_unserialize(CAR(args), CADR(args));
++	return checkNotPromise(R_unserialize(CAR(args), CADR(args)));
+     SEXP object, icon, type, ver, fun;
+     object = CAR(args); args = CDR(args);
+     icon = CAR(args); args = CDR(args);
+diff --git a/doc/NEWS.Rd b/doc/NEWS.Rd
+index 4c45f26..69285cd 100644
+--- a/doc/NEWS.Rd
++++ b/doc/NEWS.Rd
+@@ -6,6 +6,12 @@
+ \encoding{UTF-8}
+
+ \section{\Rlogo CHANGES IN R 4.0.2}{
++  \subsection{CHANGES IN R-MINIMAL FROM \url{https://github.com/r-hub/r-minimal}}{
++    \itemize{
++      \item readRDS() and unserialize() now signal an error instead of
++      returning a PROMSXP, to fix CVE-2024-27322.
++    }
++  }
+
+   \subsection{UTILITIES}{
+     \itemize{
diff --git a/patches/R-4.0.3.patch b/patches/R-4.0.3.patch
@@ -0,0 +1,64 @@
+commit c06f7f2518673a75f9b36f2af9caf7b69ab4952e
+Author: luke <luke@00db46b3-68df-0310-9c12-caf00c1e9a41>
+Date:   Sun Mar 31 19:35:58 2024 +0000
+
+    readRDS() and unserialize() now signal an errorr instead of returning a PROMSXP.
+
+
+    git-svn-id: https://svn.r-project.org/R/trunk@86235 00db46b3-68df-0310-9c12-caf00c1e9a41
+
+diff --git a/src/main/serialize.c b/src/main/serialize.c
+index a389f71311..a190fbf8f3 100644
+--- a/src/main/serialize.c
++++ b/src/main/serialize.c
+@@ -2650,6 +2650,13 @@ do_serializeToConn(SEXP call, SEXP op, SEXP args, SEXP env)
+     return R_NilValue;
+ }
+
++static SEXP checkNotPromise(SEXP val)
++{
++    if (TYPEOF(val) == PROMSXP)
++	error(_("cannot return a promise (PROMSXP) object"));
++    return val;
++}
++
+ /* unserializeFromConn(conn, hook) used from readRDS().
+    It became public in R 2.13.0, and that version added support for
+    connections internally */
+@@ -2699,7 +2706,7 @@ do_unserializeFromConn(SEXP call, SEXP op, SEXP args, SEXP env)
+ 	con->close(con);
+ 	UNPROTECT(1);
+     }
+-    return ans;
++    return checkNotPromise(ans);
+ }
+
+ /*
+@@ -3330,8 +3337,8 @@ attribute_hidden SEXP
+ do_serialize(SEXP call, SEXP op, SEXP args, SEXP env)
+ {
+     checkArity(op, args);
+-    if (PRIMVAL(op) == 2) return R_unserialize(CAR(args), CADR(args));
+-
++    if (PRIMVAL(op) == 2) //return R_unserialize(CAR(args), CADR(args));
++	return checkNotPromise(R_unserialize(CAR(args), CADR(args)));
+     SEXP object, icon, type, ver, fun;
+     object = CAR(args); args = CDR(args);
+     icon = CAR(args); args = CDR(args);
+diff --git a/doc/NEWS.Rd b/doc/NEWS.Rd
+index 916961a..521a1fd 100644
+--- a/doc/NEWS.Rd
++++ b/doc/NEWS.Rd
+@@ -6,6 +6,12 @@
+ \encoding{UTF-8}
+
+ \section{\Rlogo CHANGES IN R 4.0.3}{
++  \subsection{CHANGES IN R-MINIMAL FROM \url{https://github.com/r-hub/r-minimal}}{
++    \itemize{
++      \item readRDS() and unserialize() now signal an error instead of
++      returning a PROMSXP, to fix CVE-2024-27322.
++    }
++  }
+
+   \subsection{NEW FEATURES}{
+     \itemize{
diff --git a/patches/R-4.0.4.patch b/patches/R-4.0.4.patch
@@ -0,0 +1,64 @@
+commit c06f7f2518673a75f9b36f2af9caf7b69ab4952e
+Author: luke <luke@00db46b3-68df-0310-9c12-caf00c1e9a41>
+Date:   Sun Mar 31 19:35:58 2024 +0000
+
+    readRDS() and unserialize() now signal an errorr instead of returning a PROMSXP.
+
+
+    git-svn-id: https://svn.r-project.org/R/trunk@86235 00db46b3-68df-0310-9c12-caf00c1e9a41
+
+diff --git a/src/main/serialize.c b/src/main/serialize.c
+index a389f71311..a190fbf8f3 100644
+--- a/src/main/serialize.c
++++ b/src/main/serialize.c
+@@ -2650,6 +2650,13 @@ do_serializeToConn(SEXP call, SEXP op, SEXP args, SEXP env)
+     return R_NilValue;
+ }
+
++static SEXP checkNotPromise(SEXP val)
++{
++    if (TYPEOF(val) == PROMSXP)
++	error(_("cannot return a promise (PROMSXP) object"));
++    return val;
++}
++
+ /* unserializeFromConn(conn, hook) used from readRDS().
+    It became public in R 2.13.0, and that version added support for
+    connections internally */
+@@ -2699,7 +2706,7 @@ do_unserializeFromConn(SEXP call, SEXP op, SEXP args, SEXP env)
+ 	con->close(con);
+ 	UNPROTECT(1);
+     }
+-    return ans;
++    return checkNotPromise(ans);
+ }
+
+ /*
+@@ -3330,8 +3337,8 @@ attribute_hidden SEXP
+ do_serialize(SEXP call, SEXP op, SEXP args, SEXP env)
+ {
+     checkArity(op, args);
+-    if (PRIMVAL(op) == 2) return R_unserialize(CAR(args), CADR(args));
+-
++    if (PRIMVAL(op) == 2) //return R_unserialize(CAR(args), CADR(args));
++	return checkNotPromise(R_unserialize(CAR(args), CADR(args)));
+     SEXP object, icon, type, ver, fun;
+     object = CAR(args); args = CDR(args);
+     icon = CAR(args); args = CDR(args);
+diff --git a/doc/NEWS.Rd b/doc/NEWS.Rd
+index ec44c62..510dadc 100644
+--- a/doc/NEWS.Rd
++++ b/doc/NEWS.Rd
+@@ -6,6 +6,12 @@
+ \encoding{UTF-8}
+
+ \section{\Rlogo CHANGES IN R 4.0.4}{
++  \subsection{CHANGES IN R-MINIMAL FROM \url{https://github.com/r-hub/r-minimal}}{
++    \itemize{
++      \item readRDS() and unserialize() now signal an error instead of
++      returning a PROMSXP, to fix CVE-2024-27322.
++    }
++  }
+
+   \subsection{NEW FEATURES}{
+     \itemize{