GHSA-x563-6hqv-26mr: 
Python vulnerability analysis and mitigation

A critical vulnerability (GHSA-x563-6hqv-26mr) was discovered in PyArrow versions 0.14.0 to 14.0.0, affecting the Ibis framework versions below 7.1.0. The vulnerability, disclosed on November 16, 2023, allows arbitrary code execution through deserialization of untrusted data in IPC and Parquet readers when processing user-supplied input files. This security issue specifically affects PyArrow implementations, not other Apache Arrow implementations or bindings (GitHub Advisory).

The vulnerability stems from the deserialization of untrusted data in IPC and Parquet readers within PyArrow. The issue affects applications that read Arrow IPC, Feather, or Parquet data from untrusted sources. In the context of Ibis, the framework makes limited use of pyarrow.parquet.read_table, primarily in tests and examples where input files are controlled by Ibis developers. The Pandas and Dask backends are particularly affected as they utilize PyArrow for reading Parquet files (GitHub Advisory).

The vulnerability enables arbitrary code execution when processing malicious data files. This poses a significant security risk for applications that handle user-supplied input files through PyArrow's IPC and Parquet readers. The impact is particularly concerning for applications using the Pandas and Dask backends in Ibis, as these components directly interact with PyArrow for Parquet file processing (GitHub Advisory).

Two primary mitigation strategies are available: 1) Upgrade to Ibis version 7.1.0 or later, which automatically imports the pyarrow_hotfix package wherever pyarrow is used, or 2) Upgrade to Arrow 14.0.1 or later. As a workaround, users can install pyarrow_hotfix and modify their import statements to include 'import pyarrow_hotfix' before any 'import ibis' statements (GitHub Advisory).