PyArrow Hotfix

Description

This is a hotfix for the PyArrow security vulnerability CVE-2023-47248.

We generally recommend upgrading to PyArrow 14.0.1 or later, but if you cannot upgrade, this package disables the vulnerability on older versions.

Installation

Use pip to install:

pip install pyarrow_hotfix

Note

Both pyarrow-hotfix and pyarrow_hotfix are accepted and point to the same package.

Usage

pyarrow_hotfix must be imported in your application or library code for it to take effect:

import pyarrow_hotfix

Supported versions

pyarrow_hotfix supports all Python versions starting from Python 3.5, and all PyArrow versions starting from 0.14.0.

Dependencies

pyarrow_hotfix is a pure Python package that does not have any explicit dependencies, and assumes you have installed pyarrow through other means (such as pip or conda).

Example

>>> import pyarrow as pa
>>> import pyarrow_hotfix
>>>
>>> pa.ipc.open_file('data.arrow')
Traceback (most recent call last):
  [ ... ]
RuntimeError: forbidden deserialization of 'arrow.py_extension_type': storage_type = null, serialized = b"\x80\x03cbuiltins\neval\nq\x00X\x15\x00\x00\x00print('hello world!')q\x01\x85q\x02Rq\x03.", pickle disassembly:
    0: \x80 PROTO      3
    2: c    GLOBAL     'builtins eval'
   17: q    BINPUT     0
   19: X    BINUNICODE "print('hello world!')"
   45: q    BINPUT     1
   47: \x85 TUPLE1
   48: q    BINPUT     2
   50: R    REDUCE
   51: q    BINPUT     3
   53: .    STOP
highest protocol among opcodes = 2

License

Like pyarrow, pyarrow_hotfix is distributed under the terms of the Apache License, version 2.0.