Bug 2278914 (CVE-2024-34062)

Summary: CVE-2024-34062 python-tqdm: non-boolean CLI arguments may lead to local code execution
Product: [Other] Security Response Reporter: Marco Benatto <mbenatto>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bdettelb, hkataria, jsamir, kaycoth, kshier, rbobbitt, stcannon, sthirugn, vkrizan
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: tqdm 4.66.3 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in python-tqdm. When processing non-boolean command line arguments, python-tqdm uses python's `eval` function but fails to properly sanitize the input provided by the user. This flaw allows an attacker to trick a user into running python-tqdm with crafted command line arguments, resulting in local code execution.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2278915    
Bug Blocks: 2278917    

Description Marco Benatto 2024-05-03 17:32:57 UTC 
tqdm is an open source progress bar for Python and CLI. Any optional non-boolean CLI arguments (e.g. `--delim`, `--buf-size`, `--manpath`) are passed through python's `eval`, allowing arbitrary code execution. This issue is only locally exploitable and had been addressed in release version 4.66.3. All users are advised to upgrade. There are no known workarounds for this vulnerability.

https://github.com/tqdm/tqdm/commit/4e613f84ed2ae029559f539464df83fa91feb316
https://github.com/tqdm/tqdm/security/advisories/GHSA-g7vv-2v7x-gj9p
Comment 1 Marco Benatto 2024-05-03 17:53:57 UTC 
Created python-tqdm tracking bugs for this issue:

Affects: fedora-all [bug 2278915]