RSEC-2023-5

See a problem?

Import Source

https://github.com/RConsortium/r-advisory-database/blob/main/vulns/haven/RSEC-2023-5.yaml

JSON Data

https://api.osv.dev/v1/vulns/RSEC-2023-5

Published

2023-10-05T05:00:00.600Z

Modified

2023-10-20T07:27:00.600Z

Summary

Infinite loop, memory leak, and heap-based buffer over-read vulnerabilities

Details

The haven R package is exposed to multiple vulnerabilities due to issues in its underlying ReadStat library. The specific flaws include an infinite loop condition, a memory leak associated with an iconv_open call, and a heap-based buffer over-read via an unterminated string. Exploitation of these vulnerabilities could lead to Denial of Service or other undefined behaviors.

References

https://security-tracker.debian.org/tracker/CVE-2018-11365
https://security-tracker.debian.org/tracker/CVE-2018-11364
https://security-tracker.debian.org/tracker/CVE-2018-5698
https://github.com/WizardMac/ReadStat/issues/108
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=899335

Affected packages

CRAN / haven

Package

Name: haven

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0.1.0

Fixed

1.1.1

Affected versions

0.*

0.1.0

0.1.1

0.2.0

0.2.1

1.*

1.0.0

1.1.0