Bug 2281993 (CVE-2024-34997)

Summary: CVE-2024-34997 python-joblib: Deserialization vulnerability via joblib.numpy_pickle::NumpyArrayWrapper().read_array()
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: davidn, epacific, jcammara, jhardy, jneedle, jobarker, kshier, mabashia, rbobbitt, simaishi, smcdonal, stcannon, teagle, yguenane, zsadeh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in python-joblib. A deserialization vulnerability via the joblib.numpy_pickle::NumpyArrayWrapper().read_array() component uses the insecure pickle python library when used with untrusted inputs.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2281994, 2281996    
Bug Blocks: 2281997    

Description Pedro Sampaio 2024-05-20 18:07:44 UTC 
joblib v1.4.2 was discovered to contain a deserialization vulnerability via the component joblib.numpy_pickle::NumpyArrayWrapper().read_array().

References:

https://github.com/joblib/joblib/issues/1582
https://github.com/joblib/joblib/pull/1585

Ps.: Issue with pickle lib is well known and warned about upstream:

https://docs.python.org/3.11//library/pickle.html

So no fix planned for this upstream. CVE was assigned by Debian, dispute/rejection requestes should e directed there.
Comment 1 Pedro Sampaio 2024-05-20 18:07:59 UTC 
Created python-joblib tracking bugs for this issue:

Affects: fedora-all [bug 2281994]
Comment 2 Pedro Sampaio 2024-05-20 18:19:21 UTC 
Created python-mne tracking bugs for this issue:

Affects: fedora-all [bug 2281996]