917617 – (CVE-2023-47248) <dev-python/pyarrow-14.0.1: arbitrary code execution

Bug 917617 (CVE-2023-47248) - <dev-python/pyarrow-14.0.1: arbitrary code execution

Summary: <dev-python/pyarrow-14.0.1: arbitrary code execution

Status:	RESOLVED FIXED

Alias:	CVE-2023-47248

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal trivial (vote)
Assignee:	Gentoo Security

URL:	https://lists.apache.org/thread/yhy7t...
Whiteboard:	~1 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2023-11-20 03:47 UTC by John Helmert III
Modified:	2023-11-24 04:15 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2023-11-20 03:47:24 UTC

CVE-2023-47248:

Deserialization of untrusted data in IPC and Parquet readers in PyArrow versions 0.14.0 to 14.0.0 allows arbitrary code execution. An application is vulnerable if it reads Arrow IPC, Feather or Parquet data from untrusted sources (for example user-supplied input files).

This vulnerability only affects PyArrow, not other Apache Arrow implementations or bindings.

It is recommended that users of PyArrow upgrade to 14.0.1. Similarly, it is recommended that downstream libraries upgrade their dependency requirements to PyArrow 14.0.1 or later. PyPI packages are already available, and we hope that conda-forge packages will be available soon.

If it is not possible to upgrade, we provide a separate package `pyarrow-hotfix` that disables the vulnerability on older PyArrow versions. See  https://pypi.org/project/pyarrow-hotfix/  for instructions.

Please bump to 14.0.1.

Comment 1 Tupone Alfredo gentoo-dev

2023-11-20 16:28:06 UTC

Reading the CVE it seems that te version of pyarrow in the tree is not affected.
So I suppose there is no hurry to bump for this reason

Comment 2 John Helmert III archtester

2023-11-21 03:59:55 UTC

How so? 0.14.0 < 12.0.1 < 14.0.0, no?

Comment 3 Tupone Alfredo gentoo-dev

2023-11-21 06:49:33 UTC

(In reply to John Helmert III from comment #2)
> How so? 0.14.0 < 12.0.1 < 14.0.0, no?

Sorry. I read from 14.0.0 to 14.0.0.
Forgive me

Comment 4 Larry the Git Cow gentoo-dev

2023-11-22 00:48:54 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6907d7cf70ad61c6f0501c6bdfb404fe2f8c4890

commit 6907d7cf70ad61c6f0501c6bdfb404fe2f8c4890
Author:     Alfredo Tupone <tupone@gentoo.org>
AuthorDate: 2023-11-22 00:47:56 +0000
Commit:     Alfredo Tupone <tupone@gentoo.org>
CommitDate: 2023-11-22 00:48:34 +0000

    dev-python/pyarrow: add 14.0.1
    
    Bug: https://bugs.gentoo.org/917617
    Signed-off-by: Alfredo Tupone <tupone@gentoo.org>

 dev-python/pyarrow/Manifest              |  1 +
 dev-python/pyarrow/pyarrow-14.0.1.ebuild | 72 ++++++++++++++++++++++++++++++++
 2 files changed, 73 insertions(+)

Comment 5 John Helmert III archtester

2023-11-22 19:29:56 UTC

Thanks, please cleanup!

Comment 6 Larry the Git Cow gentoo-dev

2023-11-23 15:39:24 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=750fb4c02cb8564f9b577195edc52ffabeb537d6

commit 750fb4c02cb8564f9b577195edc52ffabeb537d6
Author:     Alfredo Tupone <tupone@gentoo.org>
AuthorDate: 2023-11-23 15:38:10 +0000
Commit:     Alfredo Tupone <tupone@gentoo.org>
CommitDate: 2023-11-23 15:38:29 +0000

    dev-python/pyarrow: drop 12.0.1
    
    Bug: https://bugs.gentoo.org/917617
    Signed-off-by: Alfredo Tupone <tupone@gentoo.org>

 dev-python/pyarrow/Manifest              |  1 -
 dev-python/pyarrow/pyarrow-12.0.1.ebuild | 71 --------------------------------
 2 files changed, 72 deletions(-)

Comment 7 John Helmert III archtester

2023-11-24 04:15:05 UTC

Thanks, all done!