←back to thread

Max severity RCE flaw discovered in widely used Apache Parquet

(www.bleepingcomputer.com)
174 points andy99 | 6 comments | 06 Apr 25 17:21 UTC | HN request time: 0.826s | source | bottom
1. 3eb7988a1663 ◴[06 Apr 25 18:06 UTC] No.43603491[source]
Maybe the headline should note that this a parser vulnerability, not the format itself. I suppose that is obvious, but my first knee-jerk thought was, "Am I going to have to re-encode XXX piles of data?"
replies(2): >>43603869 #>>43604836 #
2. brokensegue ◴[06 Apr 25 18:46 UTC] No.43603869[source]
What would it mean for the vulnerability to be in the format and not the parser?
replies(3): >>43603925 #>>43603966 #>>43606334 #
3. dist-epoch ◴[06 Apr 25 18:52 UTC] No.43603925[source]
Macros in old Microsoft Word documents were quite a popular attack.
4. 3eb7988a1663 ◴[06 Apr 25 18:57 UTC] No.43603966[source]
I don't know. Something like a Python pickle file where parsing is unavoidable.

On a second read, I realized a format problem was unlikely, but the headline just said, "Apache Parquet". My mind might the same conclusion if it said "safetensors" or "PNG".

5. necubi ◴[06 Apr 25 20:46 UTC] No.43604836[source]
Also that it's in the Java parquet library, which somehow is nowhere in the article
6. jonstewart ◴[07 Apr 25 00:46 UTC] No.43606334[source]
That data had to be encoded in a certain way which would lead to unavoidable exploitation in every conforming implementation. For example, PDF permits embedded JavaScript and… that has not gone well.