PYSEC-2019-196

Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/pyarrow/PYSEC-2019-196.yaml
Aliases
Published
2019-11-08T19:15:00Z
Modified
2023-11-08T04:01:04.600457Z
Details

While investigating UBSAN errors in https://github.com/apache/arrow/pull/5365 it was discovered Apache Arrow versions 0.12.0 to 0.14.1, left memory Array data uninitialized when reading RLE null data from parquet. This affected the C++, Python, Ruby and R implementations. The uninitialized memory could potentially be shared if are transmitted over the wire (for instance with Flight) or persisted in the streaming IPC and file formats.

References

Affected packages

PyPI / pyarrow

Package

Name
pyarrow

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0.12.0
Fixed
0.15.0

Affected versions

0.*

0.12.0
0.12.1
0.13.0
0.14.0
0.14.1