CVE-2023-47248: Deserialization of untrusted data in IPC and Parquet readers in PyArrow versions 0.14.0 to 14.0.0 allows arbitrary code execution. An application is vulnerable if it reads Arrow IPC, Feather or Parquet data from untrusted sources (for example user-supplied input files). This vulnerability only affects PyArrow, not other Apache Arrow implementations or bindings. It is recommended that users of PyArrow upgrade to 14.0.1. Similarly, it is recommended that downstream libraries upgrade their dependency requirements to PyArrow 14.0.1 or later. PyPI packages are already available, and we hope that conda-forge packages will be available soon. If it is not possible to upgrade, we provide a separate package `pyarrow-hotfix` that disables the vulnerability on older PyArrow versions. See https://pypi.org/project/pyarrow-hotfix/ for instructions. Please bump to 14.0.1.
Reading the CVE it seems that te version of pyarrow in the tree is not affected. So I suppose there is no hurry to bump for this reason
How so? 0.14.0 < 12.0.1 < 14.0.0, no?
(In reply to John Helmert III from comment #2) > How so? 0.14.0 < 12.0.1 < 14.0.0, no? Sorry. I read from 14.0.0 to 14.0.0. Forgive me
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6907d7cf70ad61c6f0501c6bdfb404fe2f8c4890 commit 6907d7cf70ad61c6f0501c6bdfb404fe2f8c4890 Author: Alfredo Tupone <tupone@gentoo.org> AuthorDate: 2023-11-22 00:47:56 +0000 Commit: Alfredo Tupone <tupone@gentoo.org> CommitDate: 2023-11-22 00:48:34 +0000 dev-python/pyarrow: add 14.0.1 Bug: https://bugs.gentoo.org/917617 Signed-off-by: Alfredo Tupone <tupone@gentoo.org> dev-python/pyarrow/Manifest | 1 + dev-python/pyarrow/pyarrow-14.0.1.ebuild | 72 ++++++++++++++++++++++++++++++++ 2 files changed, 73 insertions(+)
Thanks, please cleanup!
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=750fb4c02cb8564f9b577195edc52ffabeb537d6 commit 750fb4c02cb8564f9b577195edc52ffabeb537d6 Author: Alfredo Tupone <tupone@gentoo.org> AuthorDate: 2023-11-23 15:38:10 +0000 Commit: Alfredo Tupone <tupone@gentoo.org> CommitDate: 2023-11-23 15:38:29 +0000 dev-python/pyarrow: drop 12.0.1 Bug: https://bugs.gentoo.org/917617 Signed-off-by: Alfredo Tupone <tupone@gentoo.org> dev-python/pyarrow/Manifest | 1 - dev-python/pyarrow/pyarrow-12.0.1.ebuild | 71 -------------------------------- 2 files changed, 72 deletions(-)
Thanks, all done!