{"id":"RSEC-2023-5","summary":"Infinite loop, memory leak, and heap-based buffer over-read vulnerabilities","details":"The haven R package is exposed to multiple vulnerabilities due to issues in its underlying ReadStat library. The specific flaws include an infinite loop condition, a memory leak associated with an iconv_open call, and a heap-based buffer over-read via an unterminated string. Exploitation of these vulnerabilities could lead to Denial of Service or other undefined behaviors.","modified":"2025-05-19T19:43:47.336587Z","published":"2023-10-05T05:00:00.600Z","upstream":["CVE-2018-11364","CVE-2018-11365","CVE-2018-5698"],"references":[{"type":"WEB","url":"https://security-tracker.debian.org/tracker/CVE-2018-11365"},{"type":"WEB","url":"https://security-tracker.debian.org/tracker/CVE-2018-11364"},{"type":"WEB","url":"https://security-tracker.debian.org/tracker/CVE-2018-5698"},{"type":"WEB","url":"https://github.com/WizardMac/ReadStat/issues/108"},{"type":"WEB","url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=899335"}],"affected":[{"package":{"name":"haven","ecosystem":"CRAN","purl":"pkg:cran/haven"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0.1.0"},{"fixed":"1.1.1"}]}],"versions":["0.1.0","0.1.1","0.2.0","0.2.1","1.0.0","1.1.0"],"database_specific":{"source":"https://github.com/RConsortium/r-advisory-database/blob/main/vulns/haven/RSEC-2023-5.yaml"}}],"schema_version":"1.7.3"}