This advisory is related to the Rust implementation of Arrow. I do not think there are any exploitable vulnerabilities in arrow due to the underlying flatbuffers dependency.
The TLDR is that if an application accepts data that claims to be in the Arrow in memory format from an untrusted source, it is a security risk: The arrow implementation does not do additional validation (including on the embedded flatbuffers) for performance reasons. The way one signals this "the input data must be trusted" property in Rust is to mark the API as `unsafe`. The arrow-rs API marks APIs for reading Arrow from external formats as unsafe (and please let us know if you find any examples to the contrary) The specific vulnerability reported basically says that the underlying flatbuffers APIs are not correctly marked as unsafe thus learning to potentially masked vulnerabilities if users take input from trusted sources. Andrew On Wed, Aug 31, 2022 at 9:26 AM Roberto Diaz <rdiazmar...@gmail.com> wrote: > Hello dear Arrow user members. > > I am writting to you due to this reported flatbuffers vulnerability: > > > https://github.com/advisories/GHSA-3jch-9qgp-4844 > > It seems there is not fix up yo now. > > I wonder if this is affecting apache arrow somehow.. i can read the > following: > > https://arrow.apache.org/faq/ > > The Arrow file format does use Flatbuffers under the hood to serialize > schemas and other metadata needed to implement the Arrow binary IPC > protocol, but the Arrow data format uses its own representation for optimal > access and computation. > > I wonder if someone has analysed this vulnerability for apache arrow. > > Thank you very much and best regards > > Roberto. >
