Bugzilla – Bug 1227174
VUL-0: CVE-2024-39705: python-nltk: remote code execution through the integrated data package download functionality
Last modified: 2024-07-10 09:22:24 UTC
NLTK through 3.8.1 allows remote code execution if untrusted packages have pickled Python code, and the integrated data package download functionality is used. This affects, for example, averaged_perceptron_tagger and punkt. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-39705 https://www.cve.org/CVERecord?id=CVE-2024-39705 https://github.com/nltk/nltk/issues/2522 https://github.com/nltk/nltk/issues/3266 https://bugzilla.redhat.com/show_bug.cgi?id=2294671
Yes, downloading and using pickles from the Internet is certainly a security issue, and exactly the thing the pickle module documentation warns programmers not to do (https://docs.python.org/3/library/pickle.html). However, removing of the network downloading functionality probably requires refactoring a big chunk of code. Waiting on upstream for their solution.
I recommended to Matej to temporary disable this dangerous functionality.
This is an autogenerated message for OBS integration: This bug (1227174) was mentioned in https://build.opensuse.org/request/show/1185062 Factory / python-nltk
This is just preliminary version, which needs to be discussed with the upstream.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1074423