janderson290 opened a new issue, #13698: URL: https://github.com/apache/iceberg/issues/13698
### Feature Request / Improvement Currently the version of orc-core in use by this repo is subject to abuse of a high bug in its protobuf packages: [National Vulnerability Database : CVE-2024-7254](https://nvd.nist.gov/vuln/detail/CVE-2024-7254) boiling down to people being able to abuse a stack overflow of nested tags. The fix has already been introduced with [orc-core >=2.0.3](https://mvnrepository.com/artifact/org.apache.orc/orc-core/2.0.3) which was released in Nov 2024. I've seen this project move orc-core versions recently from its orignal pre-Nov 2024 verson of [iceberg-data 1.8.1](https://mvnrepository.com/artifact/org.apache.iceberg/iceberg-data/1.8.1) which moved from orc-core 1.9.4 to 1.9.5 on Feb 2025. However, this minor version it's moved to is still subject to this vulnerability, and is the current orc-core version in use in [iceberg-data 1.9.2](https://mvnrepository.com/artifact/org.apache.iceberg/iceberg-data/1.9.2) It would be nice to see this project move to the latest releases of orc-core, free from this potential point of abuse. Originally I wrote into the apache security team about this at their address [[email protected]](mailto:[email protected]) however, there's been no feedback from their side, so I'm hoping to have the conversation here instead. ### Query engine Trino ### Willingness to contribute - [ ] I can contribute this improvement/feature independently - [x] I would be willing to contribute this improvement/feature with guidance from the Iceberg community - [ ] I cannot contribute this improvement/feature at this time -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
