(www.bleepingcomputer.com)

174 points andy99 | 1 comments | 06 Apr 25 17:21 UTC | HN request time: 0s | source

Show context

ustad ◴[06 Apr 25 17:48 UTC] No.43603319[source]▶

Does anyone know if pandas is affected? I serialize/deserialize dataframes which pandas uses parquet under the hood.

minimaxir ◴[06 Apr 25 18:06 UTC] No.43603494[source]▶

Pandas doesn't use the parquet python package under the hood: https://pandas.pydata.org/docs/reference/api/pandas.read_par...

> Parquet library to use. If ‘auto’, then the option io.parquet.engine is used. The default io.parquet.engine behavior is to try ‘pyarrow’, falling back to ‘fastparquet’ if ‘pyarrow’ is unavailable.

Those should be unaffected.

replies(1): >>43603695 #

westurner ◴[06 Apr 25 18:30 UTC] No.43603695[source]▶

>>43603494 #

Python pickles have the same issue but it is a design decision per the docs.

Python docs > library > pickle: https://docs.python.org/3/library/pickle.html

Re: a hypothetical pickle parser protocol that doesn't eval code at parse time; "skipcode pickle protocol 6: "AI Supply Chain Attack: How Malicious Pickle Files Backdoor Models" .. "Insecurity and Python Pickles" : https://news.ycombinator.com/item?id=43426963

replies(2): >>43604174 #>>43605367 #

1. ◴[06 Apr 25 19:25 UTC] No.43604174{3}[source]▶

>>43603695 #

↑

Max severity RCE flaw discovered in widely used Apache Parquet