[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2023-47248: PyArrow, PyArrow: Arbitrary code execution when loading a malicious d
From:       Antoine Pitrou <apitrou () apache ! org>
Date:       2023-11-08 18:05:51
Message-ID: 8bd7dfdd-1a33-1b6c-11d5-c65ebb736eb8 () apache ! org
[Download RAW message or body]

Severity: critical

Affected versions:

- PyArrow 0.14.0 through 14.0.0
- PyArrow 0.14.0 through 14.0.0

Description:

Deserialization of untrusted data in IPC and Parquet readers in PyArrow versions \
0.14.0 to 14.0.0 allows arbitrary code execution. An application is vulnerable if it \
reads Arrow IPC, Feather or Parquet data from untrusted sources (for example \
user-supplied input files).

This vulnerability only affects PyArrow, not other Apache Arrow implementations or \
bindings.

It is recommended that users of PyArrow upgrade to 14.0.1. Similarly, it is \
recommended that downstream libraries upgrade their dependency requirements to \
PyArrow 14.0.1 or later. PyPI packages are already available, and we hope that \
conda-forge packages will be available soon.

If it is not possible to upgrade, we provide a separate package `pyarrow-hotfix` that \
disables the vulnerability on older PyArrow versions. See  \
https://pypi.org/project/pyarrow-hotfix/  for instructions.

References:

https://arrow.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-47248


[prev in list] [next in list] [prev in thread] [next in thread]