CVE-2018-11365

Name of the Vulnerable Software and Affected Versions ReadStat version 0.1.1 haven R package (affected versions not specified)

Description The issue involves an infinite loop condition, a memory leak associated with an iconv open call, and a heap-based buffer over-read via an unterminated string. This could lead to Denial of Service or other undefined behaviors.

Recommendations For ReadStat version 0.1.1, update to a version that fixes the infinite loop in sas/readstat sas7bcat read.c. For the haven R package, consider restricting the use of the underlying ReadStat library until a patch is available. As a temporary workaround, consider disabling the iconv open call to minimize the risk of memory leaks. Avoid using unterminated strings in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability in the haven R package.