GHSA-qgrp-8f3v-q85p: 
Rust vulnerability analysis and mitigation

The vulnerability (GHSA-qgrp-8f3v-q85p) affects the FixedSizeBinaryArray implementation in the Apache Arrow Rust package (arrow-rs). Discovered on September 14, 2021, and disclosed on June 16, 2022, this high-severity vulnerability exists in versions prior to 6.4.0 of the cargo arrow package. The core issue involves insufficient bounds checking in the FixedSizeBinaryArray implementation, which can lead to out-of-bounds reads in safe code (GitHub Advisory, RustSec Advisory).

The vulnerability stems from FixedSizeBinaryArray's failure to properly validate buffer sizes when accessing values and offsets. Specifically, when creating a FixedSizeBinaryArray from ArrayData, the implementation does not verify that the buffer size is less than or equal to size multiplied by length. This oversight can result in memory access violations when attempting to access values beyond the allocated buffer size (Arrow RS Issue).

The vulnerability allows out-of-bounds reads in safe code, which can lead to memory exposure and potential buffer overflow issues. This is particularly concerning as it bypasses Rust's memory safety guarantees, potentially exposing sensitive information from memory regions (RustSec Advisory).

The vulnerability has been patched in version 6.4.0 of the cargo arrow package. Users are strongly advised to upgrade to this version or later to address the security issue (GitHub Advisory).