[GHSA-5wvp-7f3h-6wmm] Deserialization of untrusted data in IPC and Parquet... #2922
Conversation
| } | ||
| ], | ||
| "database_specific": { | ||
| "last_known_affected_version_range": "< 14.0.0" |
There was a problem hiding this comment.
Seems like I made a mistake here.
| "last_known_affected_version_range": "< 14.0.0" | |
| "last_known_affected_version_range": "< 14.0.1" |
|
Also, how do we get the advisory to be published in https://github.com/apache/arrow/security/advisories ? (note that Apache projects are bit special: only the Apache Software Foundation's infrastructure team has admin access to GitHub repositories, project maintainers don't) |
Hi @pitrou, thanks for reaching out about CVE-2023-47248! Documentation about how to publish a repository security advisory is available here: https://docs.github.com/en/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories I think a fix commit would be a good link to have in the references. Is this the fix for CVE-2023-47428? apache/arrow@f141709 |
Ah! I was hoping that you would be able to automatically create a repository security advisory from this one?
Yes, it is. |
Also, you could add a link to https://pypi.org/project/pyarrow-hotfix/ or https://github.com/pitrou/pyarrow-hotfix as a mitigation. |
|
Hi @pitrou! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future! |
Updates
Comments
I'm part of the Project Management Committee (PMC) for Apache Arrow and I coordinated the response to the vulnerability report.