Commit 6a3601a1 authored by Thomas Gerbet's avatar Thomas Gerbet
Browse files

R: apply patch for CVE-2024-27322 

https://hiddenlayer.com/research/r-bitrary-code-execution/

Patch has been identified by checking the SCM logs.
I was not able to find another part of the patch.
Fedora 39 went the same way in https://src.fedoraproject.org/rpms/R/c/b1a4e124f24f03916877bc116c1f9e89dd6c34a5?branch=f39
See also https://github.com/spack/spack/issues/43932
parent c88c954f

pkgs/applications/science/math/R/default.nix

+7 −1
Original line number Diff line number Diff line 
{ lib, stdenv, fetchurl, bzip2, gfortran, libX11, libXmu, libXt, libjpeg, libpng

{ lib, stdenv, fetchurl, fetchpatch, bzip2, gfortran, libX11, libXmu, libXt, libjpeg, libpng

, libtiff, ncurses, pango, pcre2, perl, readline, tcl, texlive, texliveSmall, tk, xz, zlib

, less, texinfo, graphviz, icu, pkg-config, bison, imake, which, jdk, blas, lapack

, curl, Cocoa, Foundation, libobjc, libcxx, tzdata
@@ -37,6 +37,12 @@ stdenv.mkDerivation (finalAttrs: { 


  patches = [

    ./no-usr-local-search-paths.patch

    (fetchpatch {

      # https://hiddenlayer.com/research/r-bitrary-code-execution/

      name = "CVE-2024-27322.patch";

      url = "https://github.com/r-devel/r-svn/commit/f7c46500f455eb4edfc3656c3fa20af61b16abb7.patch";

      hash = "sha256-CH2mMmie9E96JeGSC7UGm7/roUNhK5xv6HO53N2ixEI=";

    })

  ];



  # Test of the examples for package 'tcltk' fails in Darwin sandbox. See: