CarterFendley commented on PR #50647: URL: https://github.com/apache/spark/pull/50647#issuecomment-2836976414
@dongjoon-hyun That is helpful context, and makes a lot more sense. I am not on many of those mailing lists so that is helpful to know. Thank you! > Especially, when it's unable to affect Spark users. I am not sure about this. In the general case, yes I agree as stated on previous PRs. However with respect to this specific example, if the example is followed directly with a vulnerable version of the `parquet-avro` module, I believe it will lead users of Spark who are following it to be vulnerable. The `AvroParquetInputFormat` class which this example is [instructing users to supply](https://github.com/apache/spark/blob/08aa15010ce5535150adf4ef8286955b041f0ecb/examples/src/main/python/parquet_inputformat.py#L63) is a part of the vulnerable module. And it appears to be connected to the vulnerable code ([AvroParquetInputFormat](https://github.com/apache/parquet-java/blob/236ddb9e592d5cecbea3a309ec55164975671f65/parquet-avro/src/main/java/org/apache/parquet/avro/AvroParquetInputFormat.java#L32-L34) > [AvroReadSupport](https://github.com/apache/parquet-java/blob/236ddb9e592d5cecbea3a309ec55164975671f65/parquet-avro/src/main/java/org/apache/parquet/avro/AvroReadSupport.java#L212) > [AvroRecordConverter](https://github.com/apache/parquet-java/blob/236ddb9e592d5cecbea3a309ec55164975671f65/parquet-avro/src/main/java/org/apache/parquet/avro/AvroRecordConverter.java#L157) > [FieldStringableConverter](https://github.com/wgtmac/parquet-mr/blob/7caf4b5406b4b8f118feac657924cbf3c8c47f63/pa rquet-avro/src/main/java/org/apache/parquet/avro/AvroConverters.java#L275)). As this is your area of expertise, not mine, please let me know if I have made a mistake here. I will remove mention of the CVE due to the other considerations mentioned above, the context you provided me made sense! -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: reviews-unsubscr...@spark.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: reviews-unsubscr...@spark.apache.org For additional commands, e-mail: reviews-h...@spark.apache.org
