Evan Miller

**Name of the Vulnerable Software and Affected Versions** ReadStat version 0.1.1 haven R package (affected versions not specified) **Description** The issue is related to multiple flaws in the ReadStat library, including an infinite loop condition, a memory leak associated with an `iconv open` call, and a heap-based buffer over-read via an unterminated string. These flaws could lead to Denial of Service or other undefined behaviors. **Recommendations** For ReadStat version 0.1.1, update to a version that fixes the memory leak and other issues. For the haven R package, apply any available patches or updates that address the vulnerabilities in the underlying ReadStat library. As a temporary workaround, consider restricting the use of the `sav parse machine integer info record` function in `spss/readstat sav read.c` until a patch is available.

Name of the Vulnerable Software and Affected Versions: haven R package (affected versions not specified) libreadstat.a in WizardMac ReadStat version 0.1.1 Description: The issue is related to multiple problems in the underlying ReadStat library of the haven R package, including an infinite loop condition, a memory leak associated with an `iconv open` call, and a heap-based buffer over-read via an unterminated string. This could lead to Denial of Service or other undefined behaviors. Recommendations: For libreadstat.a in WizardMac ReadStat version 0.1.1, update to a version that addresses the heap-based buffer over-read issue. For the haven R package, consider restricting the use of the ReadStat library until a patch is available that fixes the infinite loop condition, memory leak, and heap-based buffer over-read.