diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml index e29915b..1954cc4 100644 --- a/.github/workflows/docker-build.yml +++ b/.github/workflows/docker-build.yml @@ -17,12 +17,12 @@ jobs: config: # - { r: 'devel' } # - { r: 'next' } - - { r: '4.4.0' } -# - { r: '4.3.3' } -# - { r: '4.2.3' } -# - { r: '4.1.3' } -# - { r: '4.0.5' } -# - { r: '3.6.3' } +# - { r: '4.4.0' } + - { r: '4.3.3' } + - { r: '4.2.3' } + - { r: '4.1.3' } + - { r: '4.0.5' } + - { r: '3.6.3' } steps: - name: Checkout diff --git a/Dockerfile b/Dockerfile index b9c4887..d224f52 100644 --- a/Dockerfile +++ b/Dockerfile @@ -14,7 +14,7 @@ ARG R_VERSION=4.4.0 WORKDIR /root RUN apk add --no-cache gcc musl-dev gfortran g++ zlib-dev bzip2-dev xz-dev pcre-dev \ - pcre2-dev curl-dev make perl readline-dev + pcre2-dev curl-dev make perl readline-dev patch RUN if [[ "$R_VERSION" == "devel" ]]; then \ wget https://cran.r-project.org/src/base-prerelease/R-devel.tar.gz; \ @@ -48,6 +48,13 @@ RUN if [[ "${R_VERSION}" != "next" ]] && [[ "${R_VERSION}" != "devel" ]] \ perl -i -0pe 's/#if LIBCURL_VERSION_MAJOR > 7\n exit[(]1[)]/#if LIBCURL_VERSION_MAJOR > 7\n exit(0)/gms' configure; \ fi +COPY patches patches +RUN cd R-${R_VERSION} && ls -l .. && if [ -f "../patches/R-${R_VERSION}.patch" ]; then \ + echo Patching R; \ + patch -p1 < "../patches/R-${R_VERSION}.patch"; \ + fi + + RUN cd R-${R_VERSION} && \ . FLAGS && \ CXXFLAGS=-D__MUSL__ ./configure \ @@ -63,8 +70,10 @@ RUN strip -x /usr/local/lib/R/lib/* RUN find /usr/local/lib/R -name "*.so" -exec strip -x \{\} \; RUN rm -rf /usr/local/lib/R/library/translations +RUN cp /usr/local/lib/R/doc/NEWS.rds /tmp RUN rm -rf /usr/local/lib/R/doc RUN mkdir -p /usr/local/lib/R/doc/html +RUN cp /tmp/NEWS.rds /usr/local/lib/R/doc/ RUN find /usr/local/lib/R/library -name help | xargs rm -rf RUN find /usr/local/lib/R/share/zoneinfo/America/ -mindepth 1 -maxdepth 1 \ diff --git a/patches/R-4.0.0.patch b/patches/R-4.0.0.patch new file mode 100644 index 0000000..ce463af --- /dev/null +++ b/patches/R-4.0.0.patch @@ -0,0 +1,64 @@ +commit c06f7f2518673a75f9b36f2af9caf7b69ab4952e +Author: luke +Date: Sun Mar 31 19:35:58 2024 +0000 + + readRDS() and unserialize() now signal an errorr instead of returning a PROMSXP. + + + git-svn-id: https://svn.r-project.org/R/trunk@86235 00db46b3-68df-0310-9c12-caf00c1e9a41 + +diff --git a/src/main/serialize.c b/src/main/serialize.c +index a389f71311..a190fbf8f3 100644 +--- a/src/main/serialize.c ++++ b/src/main/serialize.c +@@ -2650,6 +2650,13 @@ do_serializeToConn(SEXP call, SEXP op, SEXP args, SEXP env) + return R_NilValue; + } + ++static SEXP checkNotPromise(SEXP val) ++{ ++ if (TYPEOF(val) == PROMSXP) ++ error(_("cannot return a promise (PROMSXP) object")); ++ return val; ++} ++ + /* unserializeFromConn(conn, hook) used from readRDS(). + It became public in R 2.13.0, and that version added support for + connections internally */ +@@ -2699,7 +2706,7 @@ do_unserializeFromConn(SEXP call, SEXP op, SEXP args, SEXP env) + con->close(con); + UNPROTECT(1); + } +- return ans; ++ return checkNotPromise(ans); + } + + /* +@@ -3330,8 +3337,8 @@ attribute_hidden SEXP + do_serialize(SEXP call, SEXP op, SEXP args, SEXP env) + { + checkArity(op, args); +- if (PRIMVAL(op) == 2) return R_unserialize(CAR(args), CADR(args)); +- ++ if (PRIMVAL(op) == 2) //return R_unserialize(CAR(args), CADR(args)); ++ return checkNotPromise(R_unserialize(CAR(args), CADR(args))); + SEXP object, icon, type, ver, fun; + object = CAR(args); args = CDR(args); + icon = CAR(args); args = CDR(args); +diff --git a/doc/NEWS.Rd b/doc/NEWS.Rd +index 094396b..75fae89 100644 +--- a/doc/NEWS.Rd ++++ b/doc/NEWS.Rd +@@ -6,6 +6,12 @@ + \encoding{UTF-8} + + \section{\Rlogo CHANGES IN 4.0.0}{ ++ \subsection{CHANGES IN R-MINIMAL FROM \url{https://github.com/r-hub/r-minimal}}{ ++ \itemize{ ++ \item readRDS() and unserialize() now signal an error instead of ++ returning a PROMSXP, to fix CVE-2024-27322. ++ } ++ } + + \subsection{SIGNIFICANT USER-VISIBLE CHANGES}{ + \itemize{ diff --git a/patches/R-4.0.1.patch b/patches/R-4.0.1.patch new file mode 100644 index 0000000..133c2ee --- /dev/null +++ b/patches/R-4.0.1.patch @@ -0,0 +1,64 @@ +commit c06f7f2518673a75f9b36f2af9caf7b69ab4952e +Author: luke +Date: Sun Mar 31 19:35:58 2024 +0000 + + readRDS() and unserialize() now signal an errorr instead of returning a PROMSXP. + + + git-svn-id: https://svn.r-project.org/R/trunk@86235 00db46b3-68df-0310-9c12-caf00c1e9a41 + +diff --git a/src/main/serialize.c b/src/main/serialize.c +index a389f71311..a190fbf8f3 100644 +--- a/src/main/serialize.c ++++ b/src/main/serialize.c +@@ -2650,6 +2650,13 @@ do_serializeToConn(SEXP call, SEXP op, SEXP args, SEXP env) + return R_NilValue; + } + ++static SEXP checkNotPromise(SEXP val) ++{ ++ if (TYPEOF(val) == PROMSXP) ++ error(_("cannot return a promise (PROMSXP) object")); ++ return val; ++} ++ + /* unserializeFromConn(conn, hook) used from readRDS(). + It became public in R 2.13.0, and that version added support for + connections internally */ +@@ -2699,7 +2706,7 @@ do_unserializeFromConn(SEXP call, SEXP op, SEXP args, SEXP env) + con->close(con); + UNPROTECT(1); + } +- return ans; ++ return checkNotPromise(ans); + } + + /* +@@ -3330,8 +3337,8 @@ attribute_hidden SEXP + do_serialize(SEXP call, SEXP op, SEXP args, SEXP env) + { + checkArity(op, args); +- if (PRIMVAL(op) == 2) return R_unserialize(CAR(args), CADR(args)); +- ++ if (PRIMVAL(op) == 2) //return R_unserialize(CAR(args), CADR(args)); ++ return checkNotPromise(R_unserialize(CAR(args), CADR(args))); + SEXP object, icon, type, ver, fun; + object = CAR(args); args = CDR(args); + icon = CAR(args); args = CDR(args); +diff --git a/doc/NEWS.Rd b/doc/NEWS.Rd +index 9417774..5a7fa23 100644 +--- a/doc/NEWS.Rd ++++ b/doc/NEWS.Rd +@@ -6,6 +6,12 @@ + \encoding{UTF-8} + + \section{\Rlogo CHANGES IN R 4.0.1}{ ++ \subsection{CHANGES IN R-MINIMAL FROM \url{https://github.com/r-hub/r-minimal}}{ ++ \itemize{ ++ \item readRDS() and unserialize() now signal an error instead of ++ returning a PROMSXP, to fix CVE-2024-27322. ++ } ++ } + + \subsection{NEW FEATURES}{ + \itemize{ diff --git a/patches/R-4.0.2.patch b/patches/R-4.0.2.patch new file mode 100644 index 0000000..e800c02 --- /dev/null +++ b/patches/R-4.0.2.patch @@ -0,0 +1,64 @@ +commit c06f7f2518673a75f9b36f2af9caf7b69ab4952e +Author: luke +Date: Sun Mar 31 19:35:58 2024 +0000 + + readRDS() and unserialize() now signal an errorr instead of returning a PROMSXP. + + + git-svn-id: https://svn.r-project.org/R/trunk@86235 00db46b3-68df-0310-9c12-caf00c1e9a41 + +diff --git a/src/main/serialize.c b/src/main/serialize.c +index a389f71311..a190fbf8f3 100644 +--- a/src/main/serialize.c ++++ b/src/main/serialize.c +@@ -2650,6 +2650,13 @@ do_serializeToConn(SEXP call, SEXP op, SEXP args, SEXP env) + return R_NilValue; + } + ++static SEXP checkNotPromise(SEXP val) ++{ ++ if (TYPEOF(val) == PROMSXP) ++ error(_("cannot return a promise (PROMSXP) object")); ++ return val; ++} ++ + /* unserializeFromConn(conn, hook) used from readRDS(). + It became public in R 2.13.0, and that version added support for + connections internally */ +@@ -2699,7 +2706,7 @@ do_unserializeFromConn(SEXP call, SEXP op, SEXP args, SEXP env) + con->close(con); + UNPROTECT(1); + } +- return ans; ++ return checkNotPromise(ans); + } + + /* +@@ -3330,8 +3337,8 @@ attribute_hidden SEXP + do_serialize(SEXP call, SEXP op, SEXP args, SEXP env) + { + checkArity(op, args); +- if (PRIMVAL(op) == 2) return R_unserialize(CAR(args), CADR(args)); +- ++ if (PRIMVAL(op) == 2) //return R_unserialize(CAR(args), CADR(args)); ++ return checkNotPromise(R_unserialize(CAR(args), CADR(args))); + SEXP object, icon, type, ver, fun; + object = CAR(args); args = CDR(args); + icon = CAR(args); args = CDR(args); +diff --git a/doc/NEWS.Rd b/doc/NEWS.Rd +index 4c45f26..69285cd 100644 +--- a/doc/NEWS.Rd ++++ b/doc/NEWS.Rd +@@ -6,6 +6,12 @@ + \encoding{UTF-8} + + \section{\Rlogo CHANGES IN R 4.0.2}{ ++ \subsection{CHANGES IN R-MINIMAL FROM \url{https://github.com/r-hub/r-minimal}}{ ++ \itemize{ ++ \item readRDS() and unserialize() now signal an error instead of ++ returning a PROMSXP, to fix CVE-2024-27322. ++ } ++ } + + \subsection{UTILITIES}{ + \itemize{ diff --git a/patches/R-4.0.3.patch b/patches/R-4.0.3.patch new file mode 100644 index 0000000..26021b2 --- /dev/null +++ b/patches/R-4.0.3.patch @@ -0,0 +1,64 @@ +commit c06f7f2518673a75f9b36f2af9caf7b69ab4952e +Author: luke +Date: Sun Mar 31 19:35:58 2024 +0000 + + readRDS() and unserialize() now signal an errorr instead of returning a PROMSXP. + + + git-svn-id: https://svn.r-project.org/R/trunk@86235 00db46b3-68df-0310-9c12-caf00c1e9a41 + +diff --git a/src/main/serialize.c b/src/main/serialize.c +index a389f71311..a190fbf8f3 100644 +--- a/src/main/serialize.c ++++ b/src/main/serialize.c +@@ -2650,6 +2650,13 @@ do_serializeToConn(SEXP call, SEXP op, SEXP args, SEXP env) + return R_NilValue; + } + ++static SEXP checkNotPromise(SEXP val) ++{ ++ if (TYPEOF(val) == PROMSXP) ++ error(_("cannot return a promise (PROMSXP) object")); ++ return val; ++} ++ + /* unserializeFromConn(conn, hook) used from readRDS(). + It became public in R 2.13.0, and that version added support for + connections internally */ +@@ -2699,7 +2706,7 @@ do_unserializeFromConn(SEXP call, SEXP op, SEXP args, SEXP env) + con->close(con); + UNPROTECT(1); + } +- return ans; ++ return checkNotPromise(ans); + } + + /* +@@ -3330,8 +3337,8 @@ attribute_hidden SEXP + do_serialize(SEXP call, SEXP op, SEXP args, SEXP env) + { + checkArity(op, args); +- if (PRIMVAL(op) == 2) return R_unserialize(CAR(args), CADR(args)); +- ++ if (PRIMVAL(op) == 2) //return R_unserialize(CAR(args), CADR(args)); ++ return checkNotPromise(R_unserialize(CAR(args), CADR(args))); + SEXP object, icon, type, ver, fun; + object = CAR(args); args = CDR(args); + icon = CAR(args); args = CDR(args); +diff --git a/doc/NEWS.Rd b/doc/NEWS.Rd +index 916961a..521a1fd 100644 +--- a/doc/NEWS.Rd ++++ b/doc/NEWS.Rd +@@ -6,6 +6,12 @@ + \encoding{UTF-8} + + \section{\Rlogo CHANGES IN R 4.0.3}{ ++ \subsection{CHANGES IN R-MINIMAL FROM \url{https://github.com/r-hub/r-minimal}}{ ++ \itemize{ ++ \item readRDS() and unserialize() now signal an error instead of ++ returning a PROMSXP, to fix CVE-2024-27322. ++ } ++ } + + \subsection{NEW FEATURES}{ + \itemize{ diff --git a/patches/R-4.0.4.patch b/patches/R-4.0.4.patch new file mode 100644 index 0000000..299a75b --- /dev/null +++ b/patches/R-4.0.4.patch @@ -0,0 +1,64 @@ +commit c06f7f2518673a75f9b36f2af9caf7b69ab4952e +Author: luke +Date: Sun Mar 31 19:35:58 2024 +0000 + + readRDS() and unserialize() now signal an errorr instead of returning a PROMSXP. + + + git-svn-id: https://svn.r-project.org/R/trunk@86235 00db46b3-68df-0310-9c12-caf00c1e9a41 + +diff --git a/src/main/serialize.c b/src/main/serialize.c +index a389f71311..a190fbf8f3 100644 +--- a/src/main/serialize.c ++++ b/src/main/serialize.c +@@ -2650,6 +2650,13 @@ do_serializeToConn(SEXP call, SEXP op, SEXP args, SEXP env) + return R_NilValue; + } + ++static SEXP checkNotPromise(SEXP val) ++{ ++ if (TYPEOF(val) == PROMSXP) ++ error(_("cannot return a promise (PROMSXP) object")); ++ return val; ++} ++ + /* unserializeFromConn(conn, hook) used from readRDS(). + It became public in R 2.13.0, and that version added support for + connections internally */ +@@ -2699,7 +2706,7 @@ do_unserializeFromConn(SEXP call, SEXP op, SEXP args, SEXP env) + con->close(con); + UNPROTECT(1); + } +- return ans; ++ return checkNotPromise(ans); + } + + /* +@@ -3330,8 +3337,8 @@ attribute_hidden SEXP + do_serialize(SEXP call, SEXP op, SEXP args, SEXP env) + { + checkArity(op, args); +- if (PRIMVAL(op) == 2) return R_unserialize(CAR(args), CADR(args)); +- ++ if (PRIMVAL(op) == 2) //return R_unserialize(CAR(args), CADR(args)); ++ return checkNotPromise(R_unserialize(CAR(args), CADR(args))); + SEXP object, icon, type, ver, fun; + object = CAR(args); args = CDR(args); + icon = CAR(args); args = CDR(args); +diff --git a/doc/NEWS.Rd b/doc/NEWS.Rd +index ec44c62..510dadc 100644 +--- a/doc/NEWS.Rd ++++ b/doc/NEWS.Rd +@@ -6,6 +6,12 @@ + \encoding{UTF-8} + + \section{\Rlogo CHANGES IN R 4.0.4}{ ++ \subsection{CHANGES IN R-MINIMAL FROM \url{https://github.com/r-hub/r-minimal}}{ ++ \itemize{ ++ \item readRDS() and unserialize() now signal an error instead of ++ returning a PROMSXP, to fix CVE-2024-27322. ++ } ++ } + + \subsection{NEW FEATURES}{ + \itemize{ diff --git a/patches/R-4.0.5.patch b/patches/R-4.0.5.patch new file mode 100644 index 0000000..7b4a2ff --- /dev/null +++ b/patches/R-4.0.5.patch @@ -0,0 +1,64 @@ +commit c06f7f2518673a75f9b36f2af9caf7b69ab4952e +Author: luke +Date: Sun Mar 31 19:35:58 2024 +0000 + + readRDS() and unserialize() now signal an errorr instead of returning a PROMSXP. + + + git-svn-id: https://svn.r-project.org/R/trunk@86235 00db46b3-68df-0310-9c12-caf00c1e9a41 + +diff --git a/src/main/serialize.c b/src/main/serialize.c +index a389f71311..a190fbf8f3 100644 +--- a/src/main/serialize.c ++++ b/src/main/serialize.c +@@ -2650,6 +2650,13 @@ do_serializeToConn(SEXP call, SEXP op, SEXP args, SEXP env) + return R_NilValue; + } + ++static SEXP checkNotPromise(SEXP val) ++{ ++ if (TYPEOF(val) == PROMSXP) ++ error(_("cannot return a promise (PROMSXP) object")); ++ return val; ++} ++ + /* unserializeFromConn(conn, hook) used from readRDS(). + It became public in R 2.13.0, and that version added support for + connections internally */ +@@ -2699,7 +2706,7 @@ do_unserializeFromConn(SEXP call, SEXP op, SEXP args, SEXP env) + con->close(con); + UNPROTECT(1); + } +- return ans; ++ return checkNotPromise(ans); + } + + /* +@@ -3330,8 +3337,8 @@ attribute_hidden SEXP + do_serialize(SEXP call, SEXP op, SEXP args, SEXP env) + { + checkArity(op, args); +- if (PRIMVAL(op) == 2) return R_unserialize(CAR(args), CADR(args)); +- ++ if (PRIMVAL(op) == 2) //return R_unserialize(CAR(args), CADR(args)); ++ return checkNotPromise(R_unserialize(CAR(args), CADR(args))); + SEXP object, icon, type, ver, fun; + object = CAR(args); args = CDR(args); + icon = CAR(args); args = CDR(args); +diff --git a/doc/NEWS.Rd b/doc/NEWS.Rd +index 5640a16..5bebf9e 100644 +--- a/doc/NEWS.Rd ++++ b/doc/NEWS.Rd +@@ -6,6 +6,12 @@ + \encoding{UTF-8} + + \section{\Rlogo CHANGES IN R 4.0.5}{ ++ \subsection{CHANGES IN R-MINIMAL FROM \url{https://github.com/r-hub/r-minimal}}{ ++ \itemize{ ++ \item readRDS() and unserialize() now signal an error instead of ++ returning a PROMSXP, to fix CVE-2024-27322. ++ } ++ } + \subsection{BUG FIXES}{ + \itemize{ + \item The change to the internal table in \R 4.0.4 for diff --git a/patches/R-4.1.0.patch b/patches/R-4.1.0.patch new file mode 100644 index 0000000..e314858 --- /dev/null +++ b/patches/R-4.1.0.patch @@ -0,0 +1,64 @@ +commit c06f7f2518673a75f9b36f2af9caf7b69ab4952e +Author: luke +Date: Sun Mar 31 19:35:58 2024 +0000 + + readRDS() and unserialize() now signal an errorr instead of returning a PROMSXP. + + + git-svn-id: https://svn.r-project.org/R/trunk@86235 00db46b3-68df-0310-9c12-caf00c1e9a41 + +diff --git a/src/main/serialize.c b/src/main/serialize.c +index a389f71311..a190fbf8f3 100644 +--- a/src/main/serialize.c ++++ b/src/main/serialize.c +@@ -2650,6 +2650,13 @@ do_serializeToConn(SEXP call, SEXP op, SEXP args, SEXP env) + return R_NilValue; + } + ++static SEXP checkNotPromise(SEXP val) ++{ ++ if (TYPEOF(val) == PROMSXP) ++ error(_("cannot return a promise (PROMSXP) object")); ++ return val; ++} ++ + /* unserializeFromConn(conn, hook) used from readRDS(). + It became public in R 2.13.0, and that version added support for + connections internally */ +@@ -2699,7 +2706,7 @@ do_unserializeFromConn(SEXP call, SEXP op, SEXP args, SEXP env) + con->close(con); + UNPROTECT(1); + } +- return ans; ++ return checkNotPromise(ans); + } + + /* +@@ -3330,8 +3337,8 @@ attribute_hidden SEXP + do_serialize(SEXP call, SEXP op, SEXP args, SEXP env) + { + checkArity(op, args); +- if (PRIMVAL(op) == 2) return R_unserialize(CAR(args), CADR(args)); +- ++ if (PRIMVAL(op) == 2) //return R_unserialize(CAR(args), CADR(args)); ++ return checkNotPromise(R_unserialize(CAR(args), CADR(args))); + SEXP object, icon, type, ver, fun; + object = CAR(args); args = CDR(args); + icon = CAR(args); args = CDR(args); +diff --git a/doc/NEWS.Rd b/doc/NEWS.Rd +index 2fcc2e7..f0ed95b 100644 +--- a/doc/NEWS.Rd ++++ b/doc/NEWS.Rd +@@ -6,6 +6,12 @@ + \encoding{UTF-8} + + \section{\Rlogo CHANGES IN R 4.1.0}{ ++ \subsection{CHANGES IN R-MINIMAL FROM \url{https://github.com/r-hub/r-minimal}}{ ++ \itemize{ ++ \item readRDS() and unserialize() now signal an error instead of ++ returning a PROMSXP, to fix CVE-2024-27322. ++ } ++ } + \subsection{FUTURE DIRECTIONS}{ + \itemize{ + \item It is planned that the 4.1.x series will be the last to diff --git a/patches/R-4.1.1.patch b/patches/R-4.1.1.patch new file mode 100644 index 0000000..7e9cf80 --- /dev/null +++ b/patches/R-4.1.1.patch @@ -0,0 +1,65 @@ +commit c06f7f2518673a75f9b36f2af9caf7b69ab4952e +Author: luke +Date: Sun Mar 31 19:35:58 2024 +0000 + + readRDS() and unserialize() now signal an errorr instead of returning a PROMSXP. + + + git-svn-id: https://svn.r-project.org/R/trunk@86235 00db46b3-68df-0310-9c12-caf00c1e9a41 + +diff --git a/src/main/serialize.c b/src/main/serialize.c +index a389f71311..a190fbf8f3 100644 +--- a/src/main/serialize.c ++++ b/src/main/serialize.c +@@ -2650,6 +2650,13 @@ do_serializeToConn(SEXP call, SEXP op, SEXP args, SEXP env) + return R_NilValue; + } + ++static SEXP checkNotPromise(SEXP val) ++{ ++ if (TYPEOF(val) == PROMSXP) ++ error(_("cannot return a promise (PROMSXP) object")); ++ return val; ++} ++ + /* unserializeFromConn(conn, hook) used from readRDS(). + It became public in R 2.13.0, and that version added support for + connections internally */ +@@ -2699,7 +2706,7 @@ do_unserializeFromConn(SEXP call, SEXP op, SEXP args, SEXP env) + con->close(con); + UNPROTECT(1); + } +- return ans; ++ return checkNotPromise(ans); + } + + /* +@@ -3330,8 +3337,8 @@ attribute_hidden SEXP + do_serialize(SEXP call, SEXP op, SEXP args, SEXP env) + { + checkArity(op, args); +- if (PRIMVAL(op) == 2) return R_unserialize(CAR(args), CADR(args)); +- ++ if (PRIMVAL(op) == 2) //return R_unserialize(CAR(args), CADR(args)); ++ return checkNotPromise(R_unserialize(CAR(args), CADR(args))); + SEXP object, icon, type, ver, fun; + object = CAR(args); args = CDR(args); + icon = CAR(args); args = CDR(args); +diff --git a/doc/NEWS.Rd b/doc/NEWS.Rd +index 8515986..760dccb 100644 +--- a/doc/NEWS.Rd ++++ b/doc/NEWS.Rd +@@ -6,6 +6,13 @@ + \encoding{UTF-8} + + \section{\Rlogo CHANGES IN R 4.1.1}{ ++ \subsection{CHANGES IN R-MINIMAL FROM \url{https://github.com/r-hub/r-minimal}}{ ++ \itemize{ ++ \item readRDS() and unserialize() now signal an error instead of ++ returning a PROMSXP, to fix CVE-2024-27322. ++ } ++ } ++ + \subsection{NEW FEATURES}{ + \itemize{ + \item \code{require(\var{pkg}, quietly = TRUE)} is quieter and in diff --git a/patches/R-4.1.2.patch b/patches/R-4.1.2.patch new file mode 100644 index 0000000..22c9d59 --- /dev/null +++ b/patches/R-4.1.2.patch @@ -0,0 +1,64 @@ +commit c06f7f2518673a75f9b36f2af9caf7b69ab4952e +Author: luke +Date: Sun Mar 31 19:35:58 2024 +0000 + + readRDS() and unserialize() now signal an errorr instead of returning a PROMSXP. + + + git-svn-id: https://svn.r-project.org/R/trunk@86235 00db46b3-68df-0310-9c12-caf00c1e9a41 + +diff --git a/src/main/serialize.c b/src/main/serialize.c +index a389f71311..a190fbf8f3 100644 +--- a/src/main/serialize.c ++++ b/src/main/serialize.c +@@ -2650,6 +2650,13 @@ do_serializeToConn(SEXP call, SEXP op, SEXP args, SEXP env) + return R_NilValue; + } + ++static SEXP checkNotPromise(SEXP val) ++{ ++ if (TYPEOF(val) == PROMSXP) ++ error(_("cannot return a promise (PROMSXP) object")); ++ return val; ++} ++ + /* unserializeFromConn(conn, hook) used from readRDS(). + It became public in R 2.13.0, and that version added support for + connections internally */ +@@ -2699,7 +2706,7 @@ do_unserializeFromConn(SEXP call, SEXP op, SEXP args, SEXP env) + con->close(con); + UNPROTECT(1); + } +- return ans; ++ return checkNotPromise(ans); + } + + /* +@@ -3330,8 +3337,8 @@ attribute_hidden SEXP + do_serialize(SEXP call, SEXP op, SEXP args, SEXP env) + { + checkArity(op, args); +- if (PRIMVAL(op) == 2) return R_unserialize(CAR(args), CADR(args)); +- ++ if (PRIMVAL(op) == 2) //return R_unserialize(CAR(args), CADR(args)); ++ return checkNotPromise(R_unserialize(CAR(args), CADR(args))); + SEXP object, icon, type, ver, fun; + object = CAR(args); args = CDR(args); + icon = CAR(args); args = CDR(args); +diff --git a/doc/NEWS.Rd b/doc/NEWS.Rd +index 90c8408..d24571b 100644 +--- a/doc/NEWS.Rd ++++ b/doc/NEWS.Rd +@@ -6,6 +6,12 @@ + \encoding{UTF-8} + + \section{\Rlogo CHANGES IN R 4.1.2}{ ++ \subsection{CHANGES IN R-MINIMAL FROM \url{https://github.com/r-hub/r-minimal}}{ ++ \itemize{ ++ \item readRDS() and unserialize() now signal an error instead of ++ returning a PROMSXP, to fix CVE-2024-27322. ++ } ++ } + \subsection{C-LEVEL FACILITIES}{ + \itemize{ + \item The workaround in headers \file{R.h} and \file{Rmath.h} diff --git a/patches/R-4.1.3.patch b/patches/R-4.1.3.patch new file mode 100644 index 0000000..ef4dc08 --- /dev/null +++ b/patches/R-4.1.3.patch @@ -0,0 +1,65 @@ +commit c06f7f2518673a75f9b36f2af9caf7b69ab4952e +Author: luke +Date: Sun Mar 31 19:35:58 2024 +0000 + + readRDS() and unserialize() now signal an errorr instead of returning a PROMSXP. + + + git-svn-id: https://svn.r-project.org/R/trunk@86235 00db46b3-68df-0310-9c12-caf00c1e9a41 + +diff --git a/src/main/serialize.c b/src/main/serialize.c +index a389f71311..a190fbf8f3 100644 +--- a/src/main/serialize.c ++++ b/src/main/serialize.c +@@ -2650,6 +2650,13 @@ do_serializeToConn(SEXP call, SEXP op, SEXP args, SEXP env) + return R_NilValue; + } + ++static SEXP checkNotPromise(SEXP val) ++{ ++ if (TYPEOF(val) == PROMSXP) ++ error(_("cannot return a promise (PROMSXP) object")); ++ return val; ++} ++ + /* unserializeFromConn(conn, hook) used from readRDS(). + It became public in R 2.13.0, and that version added support for + connections internally */ +@@ -2699,7 +2706,7 @@ do_unserializeFromConn(SEXP call, SEXP op, SEXP args, SEXP env) + con->close(con); + UNPROTECT(1); + } +- return ans; ++ return checkNotPromise(ans); + } + + /* +@@ -3330,8 +3337,8 @@ attribute_hidden SEXP + do_serialize(SEXP call, SEXP op, SEXP args, SEXP env) + { + checkArity(op, args); +- if (PRIMVAL(op) == 2) return R_unserialize(CAR(args), CADR(args)); +- ++ if (PRIMVAL(op) == 2) //return R_unserialize(CAR(args), CADR(args)); ++ return checkNotPromise(R_unserialize(CAR(args), CADR(args))); + SEXP object, icon, type, ver, fun; + object = CAR(args); args = CDR(args); + icon = CAR(args); args = CDR(args); +diff --git a/doc/NEWS.Rd b/doc/NEWS.Rd +index 8b4e587..b4f145e 100644 +--- a/doc/NEWS.Rd ++++ b/doc/NEWS.Rd +@@ -6,6 +6,13 @@ + \encoding{UTF-8} + + \section{\Rlogo CHANGES IN R 4.1.3}{ ++ \subsection{CHANGES IN R-MINIMAL FROM \url{https://github.com/r-hub/r-minimal}}{ ++ \itemize{ ++ \item readRDS() and unserialize() now signal an error instead of ++ returning a PROMSXP, to fix CVE-2024-27322. ++ } ++ } ++ + \subsection{NEW FEATURES}{ + \itemize{ + \item The default version of Bioconductor has been changed to diff --git a/patches/R-4.2.0.patch b/patches/R-4.2.0.patch new file mode 100644 index 0000000..bd21e3d --- /dev/null +++ b/patches/R-4.2.0.patch @@ -0,0 +1,64 @@ +commit c06f7f2518673a75f9b36f2af9caf7b69ab4952e +Author: luke +Date: Sun Mar 31 19:35:58 2024 +0000 + + readRDS() and unserialize() now signal an errorr instead of returning a PROMSXP. + + + git-svn-id: https://svn.r-project.org/R/trunk@86235 00db46b3-68df-0310-9c12-caf00c1e9a41 + +diff --git a/src/main/serialize.c b/src/main/serialize.c +index a389f71311..a190fbf8f3 100644 +--- a/src/main/serialize.c ++++ b/src/main/serialize.c +@@ -2650,6 +2650,13 @@ do_serializeToConn(SEXP call, SEXP op, SEXP args, SEXP env) + return R_NilValue; + } + ++static SEXP checkNotPromise(SEXP val) ++{ ++ if (TYPEOF(val) == PROMSXP) ++ error(_("cannot return a promise (PROMSXP) object")); ++ return val; ++} ++ + /* unserializeFromConn(conn, hook) used from readRDS(). + It became public in R 2.13.0, and that version added support for + connections internally */ +@@ -2699,7 +2706,7 @@ do_unserializeFromConn(SEXP call, SEXP op, SEXP args, SEXP env) + con->close(con); + UNPROTECT(1); + } +- return ans; ++ return checkNotPromise(ans); + } + + /* +@@ -3330,8 +3337,8 @@ attribute_hidden SEXP + do_serialize(SEXP call, SEXP op, SEXP args, SEXP env) + { + checkArity(op, args); +- if (PRIMVAL(op) == 2) return R_unserialize(CAR(args), CADR(args)); +- ++ if (PRIMVAL(op) == 2) //return R_unserialize(CAR(args), CADR(args)); ++ return checkNotPromise(R_unserialize(CAR(args), CADR(args))); + SEXP object, icon, type, ver, fun; + object = CAR(args); args = CDR(args); + icon = CAR(args); args = CDR(args); +diff --git a/doc/NEWS.Rd b/doc/NEWS.Rd +index 62f25ae..82dfac6 100644 +--- a/doc/NEWS.Rd ++++ b/doc/NEWS.Rd +@@ -6,6 +6,12 @@ + \encoding{UTF-8} + + \section{\Rlogo CHANGES IN R 4.2.0}{ ++ \subsection{CHANGES IN R-MINIMAL FROM \url{https://github.com/r-hub/r-minimal}}{ ++ \itemize{ ++ \item readRDS() and unserialize() now signal an error instead of ++ returning a PROMSXP, to fix CVE-2024-27322. ++ } ++ } + \subsection{SIGNIFICANT USER-VISIBLE CHANGES}{ + \itemize{ + \item The \code{formula} method of \code{aggregate()} now matches diff --git a/patches/R-4.2.1.patch b/patches/R-4.2.1.patch new file mode 100644 index 0000000..a781117 --- /dev/null +++ b/patches/R-4.2.1.patch @@ -0,0 +1,65 @@ +commit c06f7f2518673a75f9b36f2af9caf7b69ab4952e +Author: luke +Date: Sun Mar 31 19:35:58 2024 +0000 + + readRDS() and unserialize() now signal an errorr instead of returning a PROMSXP. + + + git-svn-id: https://svn.r-project.org/R/trunk@86235 00db46b3-68df-0310-9c12-caf00c1e9a41 + +diff --git a/src/main/serialize.c b/src/main/serialize.c +index a389f71311..a190fbf8f3 100644 +--- a/src/main/serialize.c ++++ b/src/main/serialize.c +@@ -2650,6 +2650,13 @@ do_serializeToConn(SEXP call, SEXP op, SEXP args, SEXP env) + return R_NilValue; + } + ++static SEXP checkNotPromise(SEXP val) ++{ ++ if (TYPEOF(val) == PROMSXP) ++ error(_("cannot return a promise (PROMSXP) object")); ++ return val; ++} ++ + /* unserializeFromConn(conn, hook) used from readRDS(). + It became public in R 2.13.0, and that version added support for + connections internally */ +@@ -2699,7 +2706,7 @@ do_unserializeFromConn(SEXP call, SEXP op, SEXP args, SEXP env) + con->close(con); + UNPROTECT(1); + } +- return ans; ++ return checkNotPromise(ans); + } + + /* +@@ -3330,8 +3337,8 @@ attribute_hidden SEXP + do_serialize(SEXP call, SEXP op, SEXP args, SEXP env) + { + checkArity(op, args); +- if (PRIMVAL(op) == 2) return R_unserialize(CAR(args), CADR(args)); +- ++ if (PRIMVAL(op) == 2) //return R_unserialize(CAR(args), CADR(args)); ++ return checkNotPromise(R_unserialize(CAR(args), CADR(args))); + SEXP object, icon, type, ver, fun; + object = CAR(args); args = CDR(args); + icon = CAR(args); args = CDR(args); +diff --git a/doc/NEWS.Rd b/doc/NEWS.Rd +index 630c88f..3504a87 100644 +--- a/doc/NEWS.Rd ++++ b/doc/NEWS.Rd +@@ -6,6 +6,13 @@ + \encoding{UTF-8} + + \section{\Rlogo CHANGES IN R 4.2.1}{ ++ \subsection{CHANGES IN R-MINIMAL FROM \url{https://github.com/r-hub/r-minimal}}{ ++ \itemize{ ++ \item readRDS() and unserialize() now signal an error instead of ++ returning a PROMSXP, to fix CVE-2024-27322. ++ } ++ } ++ + \subsection{NEW FEATURES}{ + \itemize{ + \item New function \code{utils::findCRANmirror()} to find out if a diff --git a/patches/R-4.2.2.patch b/patches/R-4.2.2.patch new file mode 100644 index 0000000..fa06ce1 --- /dev/null +++ b/patches/R-4.2.2.patch @@ -0,0 +1,65 @@ +commit c06f7f2518673a75f9b36f2af9caf7b69ab4952e +Author: luke +Date: Sun Mar 31 19:35:58 2024 +0000 + + readRDS() and unserialize() now signal an errorr instead of returning a PROMSXP. + + + git-svn-id: https://svn.r-project.org/R/trunk@86235 00db46b3-68df-0310-9c12-caf00c1e9a41 + +diff --git a/src/main/serialize.c b/src/main/serialize.c +index a389f71311..a190fbf8f3 100644 +--- a/src/main/serialize.c ++++ b/src/main/serialize.c +@@ -2650,6 +2650,13 @@ do_serializeToConn(SEXP call, SEXP op, SEXP args, SEXP env) + return R_NilValue; + } + ++static SEXP checkNotPromise(SEXP val) ++{ ++ if (TYPEOF(val) == PROMSXP) ++ error(_("cannot return a promise (PROMSXP) object")); ++ return val; ++} ++ + /* unserializeFromConn(conn, hook) used from readRDS(). + It became public in R 2.13.0, and that version added support for + connections internally */ +@@ -2699,7 +2706,7 @@ do_unserializeFromConn(SEXP call, SEXP op, SEXP args, SEXP env) + con->close(con); + UNPROTECT(1); + } +- return ans; ++ return checkNotPromise(ans); + } + + /* +@@ -3330,8 +3337,8 @@ attribute_hidden SEXP + do_serialize(SEXP call, SEXP op, SEXP args, SEXP env) + { + checkArity(op, args); +- if (PRIMVAL(op) == 2) return R_unserialize(CAR(args), CADR(args)); +- ++ if (PRIMVAL(op) == 2) //return R_unserialize(CAR(args), CADR(args)); ++ return checkNotPromise(R_unserialize(CAR(args), CADR(args))); + SEXP object, icon, type, ver, fun; + object = CAR(args); args = CDR(args); + icon = CAR(args); args = CDR(args); +diff --git a/doc/NEWS.Rd b/doc/NEWS.Rd +index b52627e..aee4475 100644 +--- a/doc/NEWS.Rd ++++ b/doc/NEWS.Rd +@@ -6,6 +6,13 @@ + \encoding{UTF-8} + + \section{\Rlogo CHANGES IN R 4.2.2}{ ++ \subsection{CHANGES IN R-MINIMAL FROM \url{https://github.com/r-hub/r-minimal}}{ ++ \itemize{ ++ \item readRDS() and unserialize() now signal an error instead of ++ returning a PROMSXP, to fix CVE-2024-27322. ++ } ++ } ++ + \subsection{NEW FEATURES}{ + \itemize{ + \item \code{tools::Rdiff(useDiff = TRUE)} checks for the presence diff --git a/patches/R-4.2.3.patch b/patches/R-4.2.3.patch new file mode 100644 index 0000000..9dae986 --- /dev/null +++ b/patches/R-4.2.3.patch @@ -0,0 +1,65 @@ +commit c06f7f2518673a75f9b36f2af9caf7b69ab4952e +Author: luke +Date: Sun Mar 31 19:35:58 2024 +0000 + + readRDS() and unserialize() now signal an errorr instead of returning a PROMSXP. + + + git-svn-id: https://svn.r-project.org/R/trunk@86235 00db46b3-68df-0310-9c12-caf00c1e9a41 + +diff --git a/src/main/serialize.c b/src/main/serialize.c +index a389f71311..a190fbf8f3 100644 +--- a/src/main/serialize.c ++++ b/src/main/serialize.c +@@ -2650,6 +2650,13 @@ do_serializeToConn(SEXP call, SEXP op, SEXP args, SEXP env) + return R_NilValue; + } + ++static SEXP checkNotPromise(SEXP val) ++{ ++ if (TYPEOF(val) == PROMSXP) ++ error(_("cannot return a promise (PROMSXP) object")); ++ return val; ++} ++ + /* unserializeFromConn(conn, hook) used from readRDS(). + It became public in R 2.13.0, and that version added support for + connections internally */ +@@ -2699,7 +2706,7 @@ do_unserializeFromConn(SEXP call, SEXP op, SEXP args, SEXP env) + con->close(con); + UNPROTECT(1); + } +- return ans; ++ return checkNotPromise(ans); + } + + /* +@@ -3330,8 +3337,8 @@ attribute_hidden SEXP + do_serialize(SEXP call, SEXP op, SEXP args, SEXP env) + { + checkArity(op, args); +- if (PRIMVAL(op) == 2) return R_unserialize(CAR(args), CADR(args)); +- ++ if (PRIMVAL(op) == 2) //return R_unserialize(CAR(args), CADR(args)); ++ return checkNotPromise(R_unserialize(CAR(args), CADR(args))); + SEXP object, icon, type, ver, fun; + object = CAR(args); args = CDR(args); + icon = CAR(args); args = CDR(args); +diff --git a/doc/NEWS.Rd b/doc/NEWS.Rd +index fe2a646..986e83d 100644 +--- a/doc/NEWS.Rd ++++ b/doc/NEWS.Rd +@@ -6,6 +6,13 @@ + \encoding{UTF-8} + + \section{\Rlogo CHANGES IN R 4.2.3}{ ++ \subsection{CHANGES IN R-MINIMAL FROM \url{https://github.com/r-hub/r-minimal}}{ ++ \itemize{ ++ \item readRDS() and unserialize() now signal an error instead of ++ returning a PROMSXP, to fix CVE-2024-27322. ++ } ++ } ++ + \subsection{C-LEVEL FACILITIES}{ + \itemize{ + \item The definition of \code{DL_FUNC} in \file{R_ext/Rdynload.h} diff --git a/patches/R-4.3.0.patch b/patches/R-4.3.0.patch new file mode 100644 index 0000000..9a4067a --- /dev/null +++ b/patches/R-4.3.0.patch @@ -0,0 +1,65 @@ +commit c06f7f2518673a75f9b36f2af9caf7b69ab4952e +Author: luke +Date: Sun Mar 31 19:35:58 2024 +0000 + + readRDS() and unserialize() now signal an errorr instead of returning a PROMSXP. + + + git-svn-id: https://svn.r-project.org/R/trunk@86235 00db46b3-68df-0310-9c12-caf00c1e9a41 + +diff --git a/src/main/serialize.c b/src/main/serialize.c +index a389f71311..a190fbf8f3 100644 +--- a/src/main/serialize.c ++++ b/src/main/serialize.c +@@ -2650,6 +2650,13 @@ do_serializeToConn(SEXP call, SEXP op, SEXP args, SEXP env) + return R_NilValue; + } + ++static SEXP checkNotPromise(SEXP val) ++{ ++ if (TYPEOF(val) == PROMSXP) ++ error(_("cannot return a promise (PROMSXP) object")); ++ return val; ++} ++ + /* unserializeFromConn(conn, hook) used from readRDS(). + It became public in R 2.13.0, and that version added support for + connections internally */ +@@ -2699,7 +2706,7 @@ do_unserializeFromConn(SEXP call, SEXP op, SEXP args, SEXP env) + con->close(con); + UNPROTECT(1); + } +- return ans; ++ return checkNotPromise(ans); + } + + /* +@@ -3330,8 +3337,8 @@ attribute_hidden SEXP + do_serialize(SEXP call, SEXP op, SEXP args, SEXP env) + { + checkArity(op, args); +- if (PRIMVAL(op) == 2) return R_unserialize(CAR(args), CADR(args)); +- ++ if (PRIMVAL(op) == 2) //return R_unserialize(CAR(args), CADR(args)); ++ return checkNotPromise(R_unserialize(CAR(args), CADR(args))); + SEXP object, icon, type, ver, fun; + object = CAR(args); args = CDR(args); + icon = CAR(args); args = CDR(args); +diff --git a/doc/NEWS.Rd b/doc/NEWS.Rd +index 2fd50d5..6b24e71 100644 +--- a/doc/NEWS.Rd ++++ b/doc/NEWS.Rd +@@ -6,6 +6,13 @@ + \encoding{UTF-8} + + \section{\Rlogo CHANGES IN R 4.3.0}{ ++ \subsection{CHANGES IN R-MINIMAL FROM \url{https://github.com/r-hub/r-minimal}}{ ++ \itemize{ ++ \item readRDS() and unserialize() now signal an error instead of ++ returning a PROMSXP, to fix CVE-2024-27322. ++ } ++ } ++ + \subsection{SIGNIFICANT USER-VISIBLE CHANGES}{ + \itemize{ + \item Calling \code{&&} or \code{||} with LHS or (if evaluated) RHS of diff --git a/patches/R-4.3.1.patch b/patches/R-4.3.1.patch new file mode 100644 index 0000000..22dfa7e --- /dev/null +++ b/patches/R-4.3.1.patch @@ -0,0 +1,65 @@ +commit c06f7f2518673a75f9b36f2af9caf7b69ab4952e +Author: luke +Date: Sun Mar 31 19:35:58 2024 +0000 + + readRDS() and unserialize() now signal an errorr instead of returning a PROMSXP. + + + git-svn-id: https://svn.r-project.org/R/trunk@86235 00db46b3-68df-0310-9c12-caf00c1e9a41 + +diff --git a/src/main/serialize.c b/src/main/serialize.c +index a389f71311..a190fbf8f3 100644 +--- a/src/main/serialize.c ++++ b/src/main/serialize.c +@@ -2650,6 +2650,13 @@ do_serializeToConn(SEXP call, SEXP op, SEXP args, SEXP env) + return R_NilValue; + } + ++static SEXP checkNotPromise(SEXP val) ++{ ++ if (TYPEOF(val) == PROMSXP) ++ error(_("cannot return a promise (PROMSXP) object")); ++ return val; ++} ++ + /* unserializeFromConn(conn, hook) used from readRDS(). + It became public in R 2.13.0, and that version added support for + connections internally */ +@@ -2699,7 +2706,7 @@ do_unserializeFromConn(SEXP call, SEXP op, SEXP args, SEXP env) + con->close(con); + UNPROTECT(1); + } +- return ans; ++ return checkNotPromise(ans); + } + + /* +@@ -3330,8 +3337,8 @@ attribute_hidden SEXP + do_serialize(SEXP call, SEXP op, SEXP args, SEXP env) + { + checkArity(op, args); +- if (PRIMVAL(op) == 2) return R_unserialize(CAR(args), CADR(args)); +- ++ if (PRIMVAL(op) == 2) //return R_unserialize(CAR(args), CADR(args)); ++ return checkNotPromise(R_unserialize(CAR(args), CADR(args))); + SEXP object, icon, type, ver, fun; + object = CAR(args); args = CDR(args); + icon = CAR(args); args = CDR(args); +diff --git a/doc/NEWS.Rd b/doc/NEWS.Rd +index 5ca6489..62db476 100644 +--- a/doc/NEWS.Rd ++++ b/doc/NEWS.Rd +@@ -6,6 +6,13 @@ + \encoding{UTF-8} + + \section{\Rlogo CHANGES IN R 4.3.1}{ ++ \subsection{CHANGES IN R-MINIMAL FROM \url{https://github.com/r-hub/r-minimal}}{ ++ \itemize{ ++ \item readRDS() and unserialize() now signal an error instead of ++ returning a PROMSXP, to fix CVE-2024-27322. ++ } ++ } ++ + \subsection{C-LEVEL FACILITIES}{ + \itemize{ + \item The C-level API version of \R's \code{integrate()}, diff --git a/patches/R-4.3.2.patch b/patches/R-4.3.2.patch new file mode 100644 index 0000000..97f22dd --- /dev/null +++ b/patches/R-4.3.2.patch @@ -0,0 +1,65 @@ +commit c06f7f2518673a75f9b36f2af9caf7b69ab4952e +Author: luke +Date: Sun Mar 31 19:35:58 2024 +0000 + + readRDS() and unserialize() now signal an errorr instead of returning a PROMSXP. + + + git-svn-id: https://svn.r-project.org/R/trunk@86235 00db46b3-68df-0310-9c12-caf00c1e9a41 + +diff --git a/src/main/serialize.c b/src/main/serialize.c +index a389f71311..a190fbf8f3 100644 +--- a/src/main/serialize.c ++++ b/src/main/serialize.c +@@ -2650,6 +2650,13 @@ do_serializeToConn(SEXP call, SEXP op, SEXP args, SEXP env) + return R_NilValue; + } + ++static SEXP checkNotPromise(SEXP val) ++{ ++ if (TYPEOF(val) == PROMSXP) ++ error(_("cannot return a promise (PROMSXP) object")); ++ return val; ++} ++ + /* unserializeFromConn(conn, hook) used from readRDS(). + It became public in R 2.13.0, and that version added support for + connections internally */ +@@ -2699,7 +2706,7 @@ do_unserializeFromConn(SEXP call, SEXP op, SEXP args, SEXP env) + con->close(con); + UNPROTECT(1); + } +- return ans; ++ return checkNotPromise(ans); + } + + /* +@@ -3330,8 +3337,8 @@ attribute_hidden SEXP + do_serialize(SEXP call, SEXP op, SEXP args, SEXP env) + { + checkArity(op, args); +- if (PRIMVAL(op) == 2) return R_unserialize(CAR(args), CADR(args)); +- ++ if (PRIMVAL(op) == 2) //return R_unserialize(CAR(args), CADR(args)); ++ return checkNotPromise(R_unserialize(CAR(args), CADR(args))); + SEXP object, icon, type, ver, fun; + object = CAR(args); args = CDR(args); + icon = CAR(args); args = CDR(args); +diff --git a/doc/NEWS.Rd b/doc/NEWS.Rd +index dd59f87..f3abe02 100644 +--- a/doc/NEWS.Rd ++++ b/doc/NEWS.Rd +@@ -6,6 +6,13 @@ + \encoding{UTF-8} + + \section{\Rlogo CHANGES IN R 4.3.2}{ ++ \subsection{CHANGES IN R-MINIMAL FROM \url{https://github.com/r-hub/r-minimal}}{ ++ \itemize{ ++ \item readRDS() and unserialize() now signal an error instead of ++ returning a PROMSXP, to fix CVE-2024-27322. ++ } ++ } ++ + \subsection{NEW FEATURES}{ + \itemize{ + \item The default initialization of the \code{"repos"} option diff --git a/patches/R-4.3.3.patch b/patches/R-4.3.3.patch new file mode 100644 index 0000000..3f287db --- /dev/null +++ b/patches/R-4.3.3.patch @@ -0,0 +1,65 @@ +commit c06f7f2518673a75f9b36f2af9caf7b69ab4952e +Author: luke +Date: Sun Mar 31 19:35:58 2024 +0000 + + readRDS() and unserialize() now signal an errorr instead of returning a PROMSXP. + + + git-svn-id: https://svn.r-project.org/R/trunk@86235 00db46b3-68df-0310-9c12-caf00c1e9a41 + +diff --git a/src/main/serialize.c b/src/main/serialize.c +index a389f71311..a190fbf8f3 100644 +--- a/src/main/serialize.c ++++ b/src/main/serialize.c +@@ -2650,6 +2650,13 @@ do_serializeToConn(SEXP call, SEXP op, SEXP args, SEXP env) + return R_NilValue; + } + ++static SEXP checkNotPromise(SEXP val) ++{ ++ if (TYPEOF(val) == PROMSXP) ++ error(_("cannot return a promise (PROMSXP) object")); ++ return val; ++} ++ + /* unserializeFromConn(conn, hook) used from readRDS(). + It became public in R 2.13.0, and that version added support for + connections internally */ +@@ -2699,7 +2706,7 @@ do_unserializeFromConn(SEXP call, SEXP op, SEXP args, SEXP env) + con->close(con); + UNPROTECT(1); + } +- return ans; ++ return checkNotPromise(ans); + } + + /* +@@ -3330,8 +3337,8 @@ attribute_hidden SEXP + do_serialize(SEXP call, SEXP op, SEXP args, SEXP env) + { + checkArity(op, args); +- if (PRIMVAL(op) == 2) return R_unserialize(CAR(args), CADR(args)); +- ++ if (PRIMVAL(op) == 2) //return R_unserialize(CAR(args), CADR(args)); ++ return checkNotPromise(R_unserialize(CAR(args), CADR(args))); + SEXP object, icon, type, ver, fun; + object = CAR(args); args = CDR(args); + icon = CAR(args); args = CDR(args); +diff --git a/doc/NEWS.Rd b/doc/NEWS.Rd +index 25bdb12..7456662 100644 +--- a/doc/NEWS.Rd ++++ b/doc/NEWS.Rd +@@ -7,6 +7,13 @@ + \encoding{UTF-8} + + \section{\Rlogo CHANGES IN R 4.3.3}{ ++ \subsection{CHANGES IN R-MINIMAL FROM \url{https://github.com/r-hub/r-minimal}}{ ++ \itemize{ ++ \item readRDS() and unserialize() now signal an error instead of ++ returning a PROMSXP, to fix CVE-2024-27322. ++ } ++ } ++ + \subsection{NEW FEATURES}{ + \itemize{ + \item \code{iconv()} now fixes up variant encoding names such as