[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE-2023-47248: PyArrow, PyArrow: Arbitrary code execution when loading a malicious d
From: Antoine Pitrou <apitrou () apache ! org>
Date: 2023-11-08 18:05:51
Message-ID: 8bd7dfdd-1a33-1b6c-11d5-c65ebb736eb8 () apache ! org
[Download RAW message or body]
Severity: critical
Affected versions:
- PyArrow 0.14.0 through 14.0.0
- PyArrow 0.14.0 through 14.0.0
Description:
Deserialization of untrusted data in IPC and Parquet readers in PyArrow versions \
0.14.0 to 14.0.0 allows arbitrary code execution. An application is vulnerable if it \
reads Arrow IPC, Feather or Parquet data from untrusted sources (for example \
user-supplied input files).
This vulnerability only affects PyArrow, not other Apache Arrow implementations or \
bindings.
It is recommended that users of PyArrow upgrade to 14.0.1. Similarly, it is \
recommended that downstream libraries upgrade their dependency requirements to \
PyArrow 14.0.1 or later. PyPI packages are already available, and we hope that \
conda-forge packages will be available soon.
If it is not possible to upgrade, we provide a separate package `pyarrow-hotfix` that \
disables the vulnerability on older PyArrow versions. See \
https://pypi.org/project/pyarrow-hotfix/ for instructions.
References:
https://arrow.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-47248
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic