Ok thank you very much.. I guess that if Arrow uses flatbuffers to serialize schemas an metadata for IPC that is going to come always from a trusted source (from Arrow itself I guess) so no security risks here.
Thank you very much! Roberto. El mié., 31 ago. 2022 16:04, Andrew Lamb <[email protected]> escribió: > This advisory is related to the Rust implementation of Arrow. I do not > think there are any exploitable vulnerabilities in arrow due to the > underlying flatbuffers dependency. > > The TLDR is that if an application accepts data that claims to be in the > Arrow in memory format from an untrusted source, it is a security risk: The > arrow implementation does not do additional validation (including on the > embedded flatbuffers) for performance reasons. > > The way one signals this "the input data must be trusted" property in Rust > is to mark the API as `unsafe`. The arrow-rs API marks APIs for reading > Arrow from external formats as unsafe (and please let us know if you find > any examples to the contrary) > > The specific vulnerability reported basically says that the underlying > flatbuffers APIs are not correctly marked as unsafe thus learning to > potentially masked vulnerabilities if users take input from trusted sources. > > Andrew > > On Wed, Aug 31, 2022 at 9:26 AM Roberto Diaz <[email protected]> > wrote: > >> Hello dear Arrow user members. >> >> I am writting to you due to this reported flatbuffers vulnerability: >> >> >> https://github.com/advisories/GHSA-3jch-9qgp-4844 >> >> It seems there is not fix up yo now. >> >> I wonder if this is affecting apache arrow somehow.. i can read the >> following: >> >> https://arrow.apache.org/faq/ >> >> The Arrow file format does use Flatbuffers under the hood to serialize >> schemas and other metadata needed to implement the Arrow binary IPC >> protocol, but the Arrow data format uses its own representation for optimal >> access and computation. >> >> I wonder if someone has analysed this vulnerability for apache arrow. >> >> Thank you very much and best regards >> >> Roberto. >> >
