1216991 – (CVE-2023-47248) VUL-0: CVE-2023-47248: python-arrow: Deserialization of untrusted data in IPC and Parquet readers in PyArrow versions 0.14.0 to 14.0.0 allows arbitrary code execution

Bug 1216991 (CVE-2023-47248) - VUL-0: CVE-2023-47248: python-arrow: Deserialization of untrusted data in IPC and Parquet readers in PyArrow versions 0.14.0 to 14.0.0 allows arbitrary code execution

Summary: VUL-0: CVE-2023-47248: python-arrow: Deserialization of untrusted data in IPC...

Status:	RESOLVED FIXED

Alias:	CVE-2023-47248

Product:	openSUSE Distribution
Classification:	openSUSE
Component:	Security (show other bugs)
Version:	Leap 15.6
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal (vote)
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	E-mail List

URL:	https://smash.suse.de/issue/384467/
Whiteboard:	CVSSv3.1:SUSE:CVE-2023-47248:9.8:(AV:...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2023-11-09 11:42 UTC by SMASH SMASH
Modified:	2024-06-07 07:40 UTC (History)
CC List:	6 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description SMASH SMASH 2023-11-09 11:42:33 UTC

Deserialization of untrusted data in IPC and Parquet readers in PyArrow versions 0.14.0 to 14.0.0 allows arbitrary code execution. An application is vulnerable if it reads Arrow IPC, Feather or Parquet data from untrusted sources (for example user-supplied input files).

This vulnerability only affects PyArrow, not other Apache Arrow implementations
or bindings.

It is recommended that users of PyArrow upgrade to 14.0.1. Similarly, it is
recommended that downstream libraries upgrade their dependency requirements to
PyArrow 14.0.1 or later. PyPI packages are already available, and we hope that
conda-forge packages will be available soon.

If it is not possible to upgrade, we provide a separate package `pyarrow-hotfix`
that disables the vulnerability on older PyArrow versions. See 
https://pypi.org/project/pyarrow-hotfix/  for instructions.



References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-47248

Comment 3 John Paul Adrian Glaubitz 2023-11-13 15:07:30 UTC

I just noticed that this issue affects the upstream Python package called "PyArrow" but not the "arrow" package that ships in openSUSE and SLE distributions as "python-arrow".

The upstream package "pyarrow" is packaged as "python-pyarrow" and is currently part of openSUSE Tumbleweed and ALP. I will update the package in Tumbleweed now to address the CVE.

Comment 4 Ondřej Súkup 2023-11-14 02:53:46 UTC

it directly depends on arrow package in exact same version -> https://build.opensuse.org/request/show/1125775

Comment 5 OBSbugzilla Bot 2023-11-14 10:05:03 UTC

This is an autogenerated message for OBS integration:
This bug (1216991) was mentioned in
https://build.opensuse.org/request/show/1125832 Factory / python-pyarrow

Comment 6 Karen Van der Veer 2023-11-15 15:00:25 UTC

Public Cloud team does not own this package. Please assign to python team.