Patch R 4.0.0 - R 4.3.3 for CVE-2024-27322

We also update the NEWS file, so by grepping for
'CVE-2024-27322' one can tell if the patched version
is installed or not.

builder/patches/R-4.0.0.patch

@@ -0,0 +1,62 @@
+commit c06f7f2518673a75f9b36f2af9caf7b69ab4952e
+Author: luke <luke@00db46b3-68df-0310-9c12-caf00c1e9a41>
+Date:   Sun Mar 31 19:35:58 2024 +0000
+
+    readRDS() and unserialize() now signal an errorr instead of returning a PROMSXP.
+
+
+    git-svn-id: https://svn.r-project.org/R/trunk@86235 00db46b3-68df-0310-9c12-caf00c1e9a41
+
+diff --git a/src/main/serialize.c b/src/main/serialize.c
+index a389f71311..a190fbf8f3 100644
+--- a/src/main/serialize.c
++++ b/src/main/serialize.c
+@@ -2650,6 +2650,13 @@ do_serializeToConn(SEXP call, SEXP op, SEXP args, SEXP env)
+     return R_NilValue;
+ }
+
++static SEXP checkNotPromise(SEXP val)
++{
++    if (TYPEOF(val) == PROMSXP)
++	error(_("cannot return a promise (PROMSXP) object"));
++    return val;
++}
++
+ /* unserializeFromConn(conn, hook) used from readRDS().
+    It became public in R 2.13.0, and that version added support for
+    connections internally */
+@@ -2699,7 +2706,7 @@ do_unserializeFromConn(SEXP call, SEXP op, SEXP args, SEXP env)
+ 	con->close(con);
+ 	UNPROTECT(1);
+     }
+-    return ans;
++    return checkNotPromise(ans);
+ }
+
+ /*
+@@ -3330,8 +3337,8 @@ attribute_hidden SEXP
+ do_serialize(SEXP call, SEXP op, SEXP args, SEXP env)
+ {
+     checkArity(op, args);
+-    if (PRIMVAL(op) == 2) return R_unserialize(CAR(args), CADR(args));
+-
++    if (PRIMVAL(op) == 2) //return R_unserialize(CAR(args), CADR(args));
++	return checkNotPromise(R_unserialize(CAR(args), CADR(args)));
+     SEXP object, icon, type, ver, fun;
+     object = CAR(args); args = CDR(args);
+     icon = CAR(args); args = CDR(args);
+diff --git a/doc/NEWS b/doc/NEWS
+index 1e5bc60..1ce0c7b 100644
+--- a/doc/NEWS
++++ b/doc/NEWS
+@@ -1,5 +1,10 @@
+ R News
+
++CHANGES IN POSIT'S BUILD FROM https://github.com/rstudio/r-builds
++
++    * readRDS() and unserialize() now signal an error instead of returning a PROMSXP,
++      to fix CVE-2024-27322.
++
+ CHANGES IN 4.0.0:
+
+   SIGNIFICANT USER-VISIBLE CHANGES:

builder/patches/R-4.0.1.patch

@@ -0,0 +1,62 @@
+commit c06f7f2518673a75f9b36f2af9caf7b69ab4952e
+Author: luke <luke@00db46b3-68df-0310-9c12-caf00c1e9a41>
+Date:   Sun Mar 31 19:35:58 2024 +0000
+
+    readRDS() and unserialize() now signal an errorr instead of returning a PROMSXP.
+
+
+    git-svn-id: https://svn.r-project.org/R/trunk@86235 00db46b3-68df-0310-9c12-caf00c1e9a41
+
+diff --git a/src/main/serialize.c b/src/main/serialize.c
+index a389f71311..a190fbf8f3 100644
+--- a/src/main/serialize.c
++++ b/src/main/serialize.c
+@@ -2650,6 +2650,13 @@ do_serializeToConn(SEXP call, SEXP op, SEXP args, SEXP env)
+     return R_NilValue;
+ }
+
++static SEXP checkNotPromise(SEXP val)
++{
++    if (TYPEOF(val) == PROMSXP)
++	error(_("cannot return a promise (PROMSXP) object"));
++    return val;
++}
++
+ /* unserializeFromConn(conn, hook) used from readRDS().
+    It became public in R 2.13.0, and that version added support for
+    connections internally */
+@@ -2699,7 +2706,7 @@ do_unserializeFromConn(SEXP call, SEXP op, SEXP args, SEXP env)
+ 	con->close(con);
+ 	UNPROTECT(1);
+     }
+-    return ans;
++    return checkNotPromise(ans);
+ }
+
+ /*
+@@ -3330,8 +3337,8 @@ attribute_hidden SEXP
+ do_serialize(SEXP call, SEXP op, SEXP args, SEXP env)
+ {
+     checkArity(op, args);
+-    if (PRIMVAL(op) == 2) return R_unserialize(CAR(args), CADR(args));
+-
++    if (PRIMVAL(op) == 2) //return R_unserialize(CAR(args), CADR(args));
++	return checkNotPromise(R_unserialize(CAR(args), CADR(args)));
+     SEXP object, icon, type, ver, fun;
+     object = CAR(args); args = CDR(args);
+     icon = CAR(args); args = CDR(args);
+diff --git a/doc/NEWS b/doc/NEWS
+index 8cd0e5c..10e38db 100644
+--- a/doc/NEWS
++++ b/doc/NEWS
+@@ -1,5 +1,10 @@
+ R News
+
++CHANGES IN POSIT'S BUILD FROM https://github.com/rstudio/r-builds
++
++    * readRDS() and unserialize() now signal an error instead of returning a PROMSXP,
++      to fix CVE-2024-27322.
++
+ CHANGES IN R 4.0.1:
+
+   NEW FEATURES:

builder/patches/R-4.0.2.patch

@@ -0,0 +1,62 @@
+commit c06f7f2518673a75f9b36f2af9caf7b69ab4952e
+Author: luke <luke@00db46b3-68df-0310-9c12-caf00c1e9a41>
+Date:   Sun Mar 31 19:35:58 2024 +0000
+
+    readRDS() and unserialize() now signal an errorr instead of returning a PROMSXP.
+
+
+    git-svn-id: https://svn.r-project.org/R/trunk@86235 00db46b3-68df-0310-9c12-caf00c1e9a41
+
+diff --git a/src/main/serialize.c b/src/main/serialize.c
+index a389f71311..a190fbf8f3 100644
+--- a/src/main/serialize.c
++++ b/src/main/serialize.c
+@@ -2650,6 +2650,13 @@ do_serializeToConn(SEXP call, SEXP op, SEXP args, SEXP env)
+     return R_NilValue;
+ }
+
++static SEXP checkNotPromise(SEXP val)
++{
++    if (TYPEOF(val) == PROMSXP)
++	error(_("cannot return a promise (PROMSXP) object"));
++    return val;
++}
++
+ /* unserializeFromConn(conn, hook) used from readRDS().
+    It became public in R 2.13.0, and that version added support for
+    connections internally */
+@@ -2699,7 +2706,7 @@ do_unserializeFromConn(SEXP call, SEXP op, SEXP args, SEXP env)
+ 	con->close(con);
+ 	UNPROTECT(1);
+     }
+-    return ans;
++    return checkNotPromise(ans);
+ }
+
+ /*
+@@ -3330,8 +3337,8 @@ attribute_hidden SEXP
+ do_serialize(SEXP call, SEXP op, SEXP args, SEXP env)
+ {
+     checkArity(op, args);
+-    if (PRIMVAL(op) == 2) return R_unserialize(CAR(args), CADR(args));
+-
++    if (PRIMVAL(op) == 2) //return R_unserialize(CAR(args), CADR(args));
++	return checkNotPromise(R_unserialize(CAR(args), CADR(args)));
+     SEXP object, icon, type, ver, fun;
+     object = CAR(args); args = CDR(args);
+     icon = CAR(args); args = CDR(args);
+diff --git a/doc/NEWS b/doc/NEWS
+index 502ee68..704deb0 100644
+--- a/doc/NEWS
++++ b/doc/NEWS
+@@ -1,5 +1,10 @@
+ R News
+
++CHANGES IN POSIT'S BUILD FROM https://github.com/rstudio/r-builds
++
++    * readRDS() and unserialize() now signal an error instead of returning a PROMSXP,
++      to fix CVE-2024-27322.
++
+ CHANGES IN R 4.0.2:
+
+   UTILITIES:

builder/patches/R-4.0.3.patch

@@ -0,0 +1,62 @@
+commit c06f7f2518673a75f9b36f2af9caf7b69ab4952e
+Author: luke <luke@00db46b3-68df-0310-9c12-caf00c1e9a41>
+Date:   Sun Mar 31 19:35:58 2024 +0000
+
+    readRDS() and unserialize() now signal an errorr instead of returning a PROMSXP.
+
+
+    git-svn-id: https://svn.r-project.org/R/trunk@86235 00db46b3-68df-0310-9c12-caf00c1e9a41
+
+diff --git a/src/main/serialize.c b/src/main/serialize.c
+index a389f71311..a190fbf8f3 100644
+--- a/src/main/serialize.c
++++ b/src/main/serialize.c
+@@ -2650,6 +2650,13 @@ do_serializeToConn(SEXP call, SEXP op, SEXP args, SEXP env)
+     return R_NilValue;
+ }
+
++static SEXP checkNotPromise(SEXP val)
++{
++    if (TYPEOF(val) == PROMSXP)
++	error(_("cannot return a promise (PROMSXP) object"));
++    return val;
++}
++
+ /* unserializeFromConn(conn, hook) used from readRDS().
+    It became public in R 2.13.0, and that version added support for
+    connections internally */
+@@ -2699,7 +2706,7 @@ do_unserializeFromConn(SEXP call, SEXP op, SEXP args, SEXP env)
+ 	con->close(con);
+ 	UNPROTECT(1);
+     }
+-    return ans;
++    return checkNotPromise(ans);
+ }
+
+ /*
+@@ -3330,8 +3337,8 @@ attribute_hidden SEXP
+ do_serialize(SEXP call, SEXP op, SEXP args, SEXP env)
+ {
+     checkArity(op, args);
+-    if (PRIMVAL(op) == 2) return R_unserialize(CAR(args), CADR(args));
+-
++    if (PRIMVAL(op) == 2) //return R_unserialize(CAR(args), CADR(args));
++	return checkNotPromise(R_unserialize(CAR(args), CADR(args)));
+     SEXP object, icon, type, ver, fun;
+     object = CAR(args); args = CDR(args);
+     icon = CAR(args); args = CDR(args);
+diff --git a/doc/NEWS b/doc/NEWS
+index 7983a71..16c6674 100644
+--- a/doc/NEWS
++++ b/doc/NEWS
+@@ -1,5 +1,10 @@
+ R News
+
++CHANGES IN POSIT'S BUILD FROM https://github.com/rstudio/r-builds
++
++    * readRDS() and unserialize() now signal an error instead of returning a PROMSXP,
++      to fix CVE-2024-27322.
++
+ CHANGES IN R 4.0.3:
+
+   NEW FEATURES:

builder/patches/R-4.0.4.patch

@@ -0,0 +1,62 @@
+commit c06f7f2518673a75f9b36f2af9caf7b69ab4952e
+Author: luke <luke@00db46b3-68df-0310-9c12-caf00c1e9a41>
+Date:   Sun Mar 31 19:35:58 2024 +0000
+
+    readRDS() and unserialize() now signal an errorr instead of returning a PROMSXP.
+
+
+    git-svn-id: https://svn.r-project.org/R/trunk@86235 00db46b3-68df-0310-9c12-caf00c1e9a41
+
+diff --git a/src/main/serialize.c b/src/main/serialize.c
+index a389f71311..a190fbf8f3 100644
+--- a/src/main/serialize.c
++++ b/src/main/serialize.c
+@@ -2650,6 +2650,13 @@ do_serializeToConn(SEXP call, SEXP op, SEXP args, SEXP env)
+     return R_NilValue;
+ }
+
++static SEXP checkNotPromise(SEXP val)
++{
++    if (TYPEOF(val) == PROMSXP)
++	error(_("cannot return a promise (PROMSXP) object"));
++    return val;
++}
++
+ /* unserializeFromConn(conn, hook) used from readRDS().
+    It became public in R 2.13.0, and that version added support for
+    connections internally */
+@@ -2699,7 +2706,7 @@ do_unserializeFromConn(SEXP call, SEXP op, SEXP args, SEXP env)
+ 	con->close(con);
+ 	UNPROTECT(1);
+     }
+-    return ans;
++    return checkNotPromise(ans);
+ }
+
+ /*
+@@ -3330,8 +3337,8 @@ attribute_hidden SEXP
+ do_serialize(SEXP call, SEXP op, SEXP args, SEXP env)
+ {
+     checkArity(op, args);
+-    if (PRIMVAL(op) == 2) return R_unserialize(CAR(args), CADR(args));
+-
++    if (PRIMVAL(op) == 2) //return R_unserialize(CAR(args), CADR(args));
++	return checkNotPromise(R_unserialize(CAR(args), CADR(args)));
+     SEXP object, icon, type, ver, fun;
+     object = CAR(args); args = CDR(args);
+     icon = CAR(args); args = CDR(args);
+diff --git a/doc/NEWS b/doc/NEWS
+index ceaf22c..0688cd2 100644
+--- a/doc/NEWS
++++ b/doc/NEWS
+@@ -1,5 +1,10 @@
+ R News
+
++CHANGES IN POSIT'S BUILD FROM https://github.com/rstudio/r-builds
++
++    * readRDS() and unserialize() now signal an error instead of returning a PROMSXP,
++      to fix CVE-2024-27322.
++
+ CHANGES IN R 4.0.4:
+
+   NEW FEATURES:

builder/patches/R-4.0.5.patch

@@ -0,0 +1,62 @@
+commit c06f7f2518673a75f9b36f2af9caf7b69ab4952e
+Author: luke <luke@00db46b3-68df-0310-9c12-caf00c1e9a41>
+Date:   Sun Mar 31 19:35:58 2024 +0000
+
+    readRDS() and unserialize() now signal an errorr instead of returning a PROMSXP.
+
+
+    git-svn-id: https://svn.r-project.org/R/trunk@86235 00db46b3-68df-0310-9c12-caf00c1e9a41
+
+diff --git a/src/main/serialize.c b/src/main/serialize.c
+index a389f71311..a190fbf8f3 100644
+--- a/src/main/serialize.c
++++ b/src/main/serialize.c
+@@ -2650,6 +2650,13 @@ do_serializeToConn(SEXP call, SEXP op, SEXP args, SEXP env)
+     return R_NilValue;
+ }
+
++static SEXP checkNotPromise(SEXP val)
++{
++    if (TYPEOF(val) == PROMSXP)
++	error(_("cannot return a promise (PROMSXP) object"));
++    return val;
++}
++
+ /* unserializeFromConn(conn, hook) used from readRDS().
+    It became public in R 2.13.0, and that version added support for
+    connections internally */
+@@ -2699,7 +2706,7 @@ do_unserializeFromConn(SEXP call, SEXP op, SEXP args, SEXP env)
+ 	con->close(con);
+ 	UNPROTECT(1);
+     }
+-    return ans;
++    return checkNotPromise(ans);
+ }
+
+ /*
+@@ -3330,8 +3337,8 @@ attribute_hidden SEXP
+ do_serialize(SEXP call, SEXP op, SEXP args, SEXP env)
+ {
+     checkArity(op, args);
+-    if (PRIMVAL(op) == 2) return R_unserialize(CAR(args), CADR(args));
+-
++    if (PRIMVAL(op) == 2) //return R_unserialize(CAR(args), CADR(args));
++	return checkNotPromise(R_unserialize(CAR(args), CADR(args)));
+     SEXP object, icon, type, ver, fun;
+     object = CAR(args); args = CDR(args);
+     icon = CAR(args); args = CDR(args);
+diff --git a/doc/NEWS b/doc/NEWS
+index b20a8ee..7ed2d27 100644
+--- a/doc/NEWS
++++ b/doc/NEWS
+@@ -1,5 +1,10 @@
+ R News
+
++CHANGES IN POSIT'S BUILD FROM https://github.com/rstudio/r-builds
++
++    * readRDS() and unserialize() now signal an error instead of returning a PROMSXP,
++      to fix CVE-2024-27322.
++
+ CHANGES IN R 4.0.5:
+
+   BUG FIXES: