Vulnerabilities identified by https://ossindex.sonatype.org

[zhuoyu]

Because of security concerns, my employer asks me to run vulnerability assessment for each R package before using it. The current method we have for vulnerability assessment is using the R package oysterR. This package actually checks vulnerabilities in the OSS Index from https://ossindex.sonatype.org.

Here are the code I used to run the vulnerability assessment, and one vulnerability is identified for the package haven.

library(oysteR)
audit <- audit_installed_r_pkgs()
audit[audit$package=="haven", "vulnerabilities"][[1]]

In the returned data, the description of the vulnerability is:
"1 non-CVE vulnerability found. To see more details, please create a free account at https://https://ossindex.sonatype.org/ and request for this information using your registered account"

And from the website, I found this link:

https://ossindex.sonatype.org/vulnerability/sonatype-2021-1261?component-type=cran&component-name=haven

where I found the following description:

---

Description
[sonatype-2021-1261] CWE-122: Heap-based Buffer Overflow

r-haven - Heap-based Buffer Overflow

A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().

---

Since the package haven is a dependence of many other packages, it would be great if the vulnerability could be cleaned up. I know it may not be a big issue, but the security team relies on the vulnerability report to approve R packages.

Thank you.

[gorcha]

Hi @zhuoyu, thanks for the report!

@evanmiller this looks like a buffer overflow in ReadStat picked up OSS Fuzz:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33991

[hedsnz]

Open issue upstream: WizardMac/ReadStat#285

[gorcha]

Thanks!