Conversation
glin
left a comment
glin
left a comment
There was a problem hiding this comment.
@bhogan-mitre thanks! I saw there was some discussion in the png repo, is there anything left to do here or is this ready to go?
|
@glin thanks for checking. This one is debatable. It seems that the only way to get a vulnerable version of That said, even on R 4.5 a vulnerable version of For reference, when I was checking png 0.1-8, I got 
Do you have thoughts on where vulnerabilities with Rtools should be tracked? I don't see an obvious github issues page to report those and I just emailed the maintainer of Rtools to report this one. Although it can impact several R packages that depend on Rtools, as well as the build process that prepares binary versions for CRAN. |
|
@bhogan-mitre Honestly, no idea and it's a hard question 🙂. We've talked about it before in an R Consortium working group meeting and didn't come up with any good answers. Rtools is kind of weird, in that it's basically a software distribution on Windows that doesn't really use a package management system. You update by installing the latest installer exe, and previous installers are just deleted off of CRAN. The only easy way (?) to tell what's inside Rtools is to read through the NEWS doc, https://cran.r-project.org/bin/windows/Rtools/rtools45/news.html I think it'd fit most appropriately as its own ecosystem, similar to a linux distro, but it's also very specific and tied into R and CRAN. I don't know where Rtools vulnerabilities are tracked, but the news file will mention them when system libs are patched for some CVE. A second complication is that OSV and this advisory database have no good way of capturing vulns in binary distributions of CRAN packages. Unlike a PyPI where the binaries and source code are all tied to the same published package version, you can get CRAN binaries for These If the underlying system lib isn't tied or bundled with the package itself, then it's real tricky to record a vulnerability for it. For this png case where the fallback script could technically download a vulnerable libpng, it does make sense to record a vulnerability to me. But I'm curious if we could add more detail on when the fallback is triggered, e.g. what version of R or associated Rtools version that is. If it's R 3.x, then I'm sure there are enough legacy 3.x uses out there that people would find this useful. If it's R 2.x from 15+ years ago though, then yeah, that's more debatable. |
|
Hi @glin, thanks for the info and your thoughts on this. I agree and I wish there was more transparency around what users get from Rtools, and a more clear process for reporting issues there. Thanks for mentioning the working group. I'm guessing it's this one: r-repositories-wg On the png package, I believe I've narrowed down the issue to R versions < 4.2. I installed png 0.1-8 (prior to the recent fix) from source on a handful of Windows R versions. It looks like R >= 4.2 will get libpng from Rtools. Earlier versions of R will get vintage 2011 libpng downloaded as part of the png package installation. R 3.6.3, libpng downloaded during png install R 4.1.3, libpng downloaded during png install R 4.2.3, libpng used from Rtools42 I'll update the PR to reflect the R versions where the download of a vulnerable libpng is applicable. |
…or png vulnerability
|
I updated the summary and description here. Let me know if you think that language is okay with respect to Rtools. I'm open to suggestions there. Thanks @glin. |
|
@bhogan-mitre thanks, that looks good. R 4.1 is still commonly used and in many packages' (e.g. Tidyverse, Posit products) support windows, so I think this makes sense to add. And yes, that's repo for the Repositories working group. |
2 participants
No description provided.