Deserialization of untrusted data can occur in the R statistical programming language, on any version starting at 1.4.0 up to and not including 4.4.0, enabling a maliciously crafted RDS (R Data Serialization) formatted file or R package to run arbitrary code on an end user’s system when interacted with.
Created R tracking bugs for this issue: Affects: epel-all [bug 2277886] Affects: fedora-38 [bug 2277887] Affects: fedora-39 [bug 2277888] Affects: fedora-40 [bug 2277889]
*** Bug 2278152 has been marked as a duplicate of this bug. ***