LCORE-2011: PyArrow overrides [Konflux]

[tisnik]

Description

LCORE-2011: PyArrow overrides [Konflux]

Type of change

• Refactor
• New feature
• Bug fix
• CVE fix
• Optimization
• Documentation Update
• Configuration Update
• Bump-up service version
• Bump-up dependent library
• Bump-up library or tool used for development (does not change the final image)
• CI configuration change
• Konflux configuration change
• Unit tests improvement
• Integration tests improvement
• End to end tests improvement
• Benchmarks improvement

Tools used to create PR

• Assisted-by: N/A
• Generated by: N/A

Related Tickets & Documents

• Related Issue #LCORE-2011

Summary by CodeRabbit

• Chores
  • Updated Python dependencies to latest patch version.

[coderabbitai]

Walkthrough

PyArrow dependency version is bumped from 23.0.0 to 23.0.1 in the Konflux requirements override file. This single-line update applies a patch-level version constraint fix without altering any other configuration or package dependencies.

Changes

PyArrow Dependency Version Update

Layer / File(s)	Summary
PyArrow version override update .konflux/requirements.overrides.txt	PyArrow version constraint incremented from 23.0.0 to 23.0.1 in the Konflux dependency override configuration.

Possibly related PRs

• lightspeed-core/lightspeed-stack#1920: Both PRs update the pinned pyarrow version from 23.0.0 to 23.0.1 to apply the same PyArrow CVE fix.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly indicates the primary change is updating PyArrow overrides in a Konflux configuration file, which matches the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

✨ Simplify code

• Create PR with simplified code

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.konflux/requirements.overrides.txt:
- Line 12: Update the PR/CVE description to explicitly state that the
pyarrow==23.0.1 upgrade addresses CVE-2026-25087 and note that the root cause is
a use-after-free in the Arrow C++ IPC implementation (pre-buffering/C++-API
trigger), so although Python bindings may not directly expose it, the underlying
Arrow C++ library is patched by this bump; reference the pyarrow==23.0.1 entry
in the overrides to justify the fix.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: d8a10ac2-8c65-44b2-9794-27344347131c

📥 Commits

Reviewing files that changed from the base of the PR and between 053195f and 501fd89.

📒 Files selected for processing (1)

• .konflux/requirements.overrides.txt

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Konflux kflux-prd-rh02 / lightspeed-stack-on-pull-request

🔇 Additional comments (1)

.konflux/requirements.overrides.txt (1)

12-12: Version pin is correctly formatted and will propagate through the build.

The exact-version pin pyarrow==23.0.1 follows the consistent format used throughout the file and is consumed by the Konflux build pipeline (via uv pip compile --override). A patch-level bump is typically backward compatible.

[coderabbitai]

🔒 Security & Privacy | 🟡 Minor

🧩 Analysis chain

🌐 Web query:

PyArrow 23.0.1 release notes security fixes CVE

💡 Result:

The Apache Arrow 23.0.1 release, published on February 16, 2026, addresses a security vulnerability identified as CVE-2026-25087 [1][2][3]. This vulnerability is a Use After Free (UAF) issue located in the Apache Arrow C++ implementation, affecting versions 15.0.0 through 23.0.0 [2][4][5]. It can be triggered when reading an Arrow IPC file (specifically files, not IPC streams) with pre-buffering enabled, provided the file contains data with variadic buffers, such as Binary View or String View data [4][6][5]. Key technical points regarding this vulnerability include: - Trigger Mechanism: The vulnerability requires pre-buffering to be explicitly enabled via the C++ API call RecordBatchFileReader::PreBufferMetadata [2][4][5]. - Language Bindings: The Apache Arrow maintainers have stated that this functionality is not exposed in language bindings, including Python (PyArrow), Ruby, and C GLib [4][5]. Consequently, while the PyArrow package is listed in some vulnerability databases as affected (due to its dependency on the core C++ library), the Python library itself is not directly vulnerable to this exploitation [6][5][7]. - Impact: The most likely consequence is a crash or memory corruption when reading specific IPC files [4][6][5]. While exploitation for more targeted behavior, such as unauthorized data extraction, is theoretically possible, it is considered difficult and highly dependent on specific, hard-to-control memory and multi-threaded I/O patterns [4][5]. Users are advised to upgrade to Apache Arrow 23.0.1 or later to resolve the issue [4][5]. If upgrading is not immediately possible, users should either disable pre-buffering in their C++ code or ensure they are not ingesting IPC files from untrusted sources [4][5].

Citations:

• 1: https://arrow.apache.org/release/23.0.1.html
• 2: https://arrow.apache.org/blog/2026/02/16/23.0.1-release/
• 3: https://github.com/apache/arrow/releases/tag/apache-arrow-23.0.1
• 4: https://nvd.nist.gov/vuln/detail/CVE-2026-25087
• 5: https://www.openwall.com/lists/oss-security/2026/02/17/4
• 6: https://www.resolvedsecurity.com/vulnerability-catalog/CVE-2026-25087
• 7: https://osv.dev/vulnerability/GHSA-rgxp-2hwp-jwgg

---

Confirm the CVE fixed by the PyArrow 23.0.1 bump

Apache Arrow 23.0.1 includes the fix for CVE-2026-25087 (Use After Free in the Arrow C++ IPC implementation; affects 15.0.0–23.0.0, so 23.0.1 is the resolving upgrade). The vulnerability is tied to C++ pre-buffering and isn’t directly exposed via Python bindings, but this version bump still updates the underlying Arrow C++ library.
Update the PR/CVE description to explicitly name CVE-2026-25087 (and optionally mention the pre-buffering/C++-API trigger).

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.konflux/requirements.overrides.txt at line 12, Update the PR/CVE
description to explicitly state that the pyarrow==23.0.1 upgrade addresses
CVE-2026-25087 and note that the root cause is a use-after-free in the Arrow C++
IPC implementation (pre-buffering/C++-API trigger), so although Python bindings
may not directly expose it, the underlying Arrow C++ library is patched by this
bump; reference the pyarrow==23.0.1 entry in the overrides to justify the fix.