CVE-2023-47248 Mitigation (nv-morpheus#1399)

This PR mitigates CVE-2023-47248 by importing `pyarrow_hotfix` as early as possible to ensure that the pyarrow hotfix is applied before any code can use it. Can be removed after upgrading to pyarrow 14.0.1 or later (which is dictated by cudf) Authors: - Michael Demoret (https://github.com/mdemoret-nv) Approvers: - Christopher Harris (https://github.com/cwharris) - David Gardner (https://github.com/dagardner-nv) URL: nv-morpheus#1399
drobison00 · Dec 1, 2023 · 1579eaa · 1579eaa
1 parent ccb398a
commit 1579eaa
Show file tree

Hide file tree

Showing 4 changed files with 11 additions and 3 deletions.
diff --git a/ci/conda/recipes/morpheus/morpheus_build.sh b/ci/conda/recipes/morpheus/morpheus_build.sh
@@ -93,4 +93,4 @@ cmake -B ${BUILD_DIR} \
 cmake --build ${BUILD_DIR} -j${PARALLEL_LEVEL:-$(nproc)}
 
 # Install just the python wheel components
-${PYTHON} -m pip install -vv --no-deps ${BUILD_DIR}/dist/*.whl
+${PYTHON} -m pip install -vv ${BUILD_DIR}/dist/*.whl
diff --git a/docker/conda/environments/cuda11.8_dev.yml b/docker/conda/environments/cuda11.8_dev.yml
@@ -123,6 +123,7 @@ dependencies:
     - pip:
         # Add additional dev dependencies here
         - databricks-connect
-        - pytest-kafka==0.6.0
-        - pymilvus==2.3.2
         - milvus==2.3.2
+        - pyarrow_hotfix # CVE-2023-47248. See morpheus/__init__.py for more details
+        - pymilvus==2.3.2
+        - pytest-kafka==0.6.0
diff --git a/morpheus/__init__.py b/morpheus/__init__.py
@@ -12,6 +12,12 @@
 # limitations under the License.
 """Root module for the Morpheus library."""
 
+# ########################### CVE-2023-47248 Mitigation ############################
+# Import pyarrow_hotfix as early as possible to ensure that the pyarrow hotfix is applied before any code can use it
+# Can be removed after upgrading to pyarrow 14.0.1 or later (which is dictated by cudf)
+import pyarrow_hotfix
+# ##################################################################################
+
 import logging
 import os
 

diff --git a/setup.py b/setup.py
@@ -52,6 +52,7 @@
     packages=find_packages(include=["morpheus*"], exclude=['tests']),
     install_requires=[
         # Only list the packages which cannot be installed via conda here.
+        "pyarrow_hotfix",  # CVE-2023-47248. See morpheus/__init__.py for more details
     ],
     license="Apache",
     python_requires='>=3.10, <4',