There are some cases (e.g. arrow flight, and the .arrow / IPC file format) that can come from other sources, but that depends on your usecase
On Wed, Aug 31, 2022 at 11:35 AM Roberto Diaz <rdiazmar...@gmail.com> wrote: > Ok thank you very much.. I guess that if Arrow uses flatbuffers to > serialize schemas an metadata for IPC that is going to come always from a > trusted source (from Arrow itself I guess) so no security risks here. > > Thank you very much! > > Roberto. > > El mié., 31 ago. 2022 16:04, Andrew Lamb <al...@influxdata.com> escribió: > >> This advisory is related to the Rust implementation of Arrow. I do not >> think there are any exploitable vulnerabilities in arrow due to the >> underlying flatbuffers dependency. >> >> The TLDR is that if an application accepts data that claims to be in the >> Arrow in memory format from an untrusted source, it is a security risk: The >> arrow implementation does not do additional validation (including on the >> embedded flatbuffers) for performance reasons. >> >> The way one signals this "the input data must be trusted" property in >> Rust is to mark the API as `unsafe`. The arrow-rs API marks APIs for >> reading Arrow from external formats as unsafe (and please let us know if >> you find any examples to the contrary) >> >> The specific vulnerability reported basically says that the underlying >> flatbuffers APIs are not correctly marked as unsafe thus learning to >> potentially masked vulnerabilities if users take input from trusted sources. >> >> Andrew >> >> On Wed, Aug 31, 2022 at 9:26 AM Roberto Diaz <rdiazmar...@gmail.com> >> wrote: >> >>> Hello dear Arrow user members. >>> >>> I am writting to you due to this reported flatbuffers vulnerability: >>> >>> >>> https://github.com/advisories/GHSA-3jch-9qgp-4844 >>> >>> It seems there is not fix up yo now. >>> >>> I wonder if this is affecting apache arrow somehow.. i can read the >>> following: >>> >>> https://arrow.apache.org/faq/ >>> >>> The Arrow file format does use Flatbuffers under the hood to serialize >>> schemas and other metadata needed to implement the Arrow binary IPC >>> protocol, but the Arrow data format uses its own representation for optimal >>> access and computation. >>> >>> I wonder if someone has analysed this vulnerability for apache arrow. >>> >>> Thank you very much and best regards >>> >>> Roberto. >>> >>
