2278914 – (CVE-2024-34062) CVE-2024-34062 python-tqdm: non-boolean CLI arguments may lead to local code execution

Bug 2278914 (CVE-2024-34062) - CVE-2024-34062 python-tqdm: non-boolean CLI arguments may lead to local code execution

Summary: CVE-2024-34062 python-tqdm: non-boolean CLI arguments may lead to local code ...

Keywords:
Status:	NEW
Alias:	CVE-2024-34062
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2278915
Blocks:	2278917
TreeView+	depends on / blocked

Reported:	2024-05-03 17:32 UTC by Marco Benatto
Modified:	2024-05-13 11:52 UTC (History)
CC List:	9 users (show)
Fixed In Version:	tqdm 4.66.3
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Marco Benatto 2024-05-03 17:32:57 UTC

tqdm is an open source progress bar for Python and CLI. Any optional non-boolean CLI arguments (e.g. `--delim`, `--buf-size`, `--manpath`) are passed through python's `eval`, allowing arbitrary code execution. This issue is only locally exploitable and had been addressed in release version 4.66.3. All users are advised to upgrade. There are no known workarounds for this vulnerability.

https://github.com/tqdm/tqdm/commit/4e613f84ed2ae029559f539464df83fa91feb316
https://github.com/tqdm/tqdm/security/advisories/GHSA-g7vv-2v7x-gj9p

Comment 1 Marco Benatto 2024-05-03 17:53:57 UTC

Created python-tqdm tracking bugs for this issue:

Affects: fedora-all [bug 2278915]

Note You need to log in before you can comment on or make changes to this bug.