Bug 2294671 (CVE-2024-39705)

Summary: CVE-2024-39705 nltk: Remote Code Execution (RCE) via untrusted packages
Product: [Other] Security Response Reporter: Patrick Del Bello <pdelbell>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: kshier, rbobbitt, stcannon
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A vulnerability was found in the NLTK package. This flaw allows remote code execution if untrusted packages have pickled Python code and if the integrated data package download functionality is used. This issue affects, for example, the averaged_perceptron_tagger and Punkt.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2294672    
Bug Blocks: 2294670    

Description Patrick Del Bello 2024-06-28 01:30:58 UTC 
NLTK through 3.8.1 allows remote code execution if untrusted packages have pickled Python code, and the integrated data package download functionality is used. This affects, for example, averaged_perceptron_tagger and punkt.

References:
https://github.com/nltk/nltk/issues/2522
https://github.com/nltk/nltk/issues/3266
https://github.com/advisories/GHSA-cgvx-9447-vcch
Comment 1 Patrick Del Bello 2024-06-28 01:31:46 UTC 
Created python-nltk tracking bugs for this issue:

Affects: fedora-all [bug 2294672]