It was found that python-tqdm executes the 'git log -n 1 --oneline' command when imported. A crafted Git repository configured to execute a particular script on a 'git log' could execute arbitrary code with the privileges of the user running an application that imports the tqdm module.
Additional information and CVE assignment:
Created python-tqdm tracking bugs for this issue:
Affects: fedora-all [bug 1409609]
Martin, please file bug for EPEL7 as well. It also contains this security issue.
I don't maintain EPEL version, so not going to fix it.
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.