Bug 1223880 (CVE-2024-34062)

Summary: VUL-0: CVE-2024-34062: python-tqdm,python3-tqdm: CLI argument injection attack
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: IN_PROGRESS --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: camila.matos, carlos.lopez, dmueller, mcepl, steven.kowalik, toddrme2178
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/404258/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-34062:6.1:(AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:L)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-05-03 16:03:04 UTC 
tqdm is an open source progress bar for Python and CLI. Any optional non-boolean CLI arguments (e.g. `--delim`, `--buf-size`, `--manpath`) are passed through python's `eval`, allowing arbitrary code execution. This issue is only locally exploitable and had been addressed in release version 4.66.3. All users are advised to upgrade. There are no known workarounds for this vulnerability.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-34062
https://www.cve.org/CVERecord?id=CVE-2024-34062
https://github.com/tqdm/tqdm/commit/4e613f84ed2ae029559f539464df83fa91feb316
https://github.com/tqdm/tqdm/security/advisories/GHSA-g7vv-2v7x-gj9p
Comment 1 Carlos López 2024-05-03 16:06:07 UTC 
We have:
 - openSUSE:Backports:SLE-15-SP6/python3-tqdm  4.45.0
 - openSUSE:Backports:SLE-15-SP5/python-tqdm   4.45.0
 - openSUSE:Factory/python-tqdm                4.66.1
 - SUSE:ALP:Source:Standard:1.0/python-tqdm    4.65.0
 - SUSE:SLE-15-SP4:Update/python-tqdm          4.66.1
Comment 2 OBSbugzilla Bot 2024-05-07 02:15:03 UTC 
This is an autogenerated message for OBS integration:
This bug (1223880) was mentioned in
https://build.opensuse.org/request/show/1172287 Factory / python-tqdm
Comment 4 OBSbugzilla Bot 2024-05-14 09:05:03 UTC 
This is an autogenerated message for OBS integration:
This bug (1223880) was mentioned in
https://build.opensuse.org/request/show/1173918 Backports:SLE-15-SP5 / python-tqdm
Comment 5 OBSbugzilla Bot 2024-05-15 08:05:03 UTC 
This is an autogenerated message for OBS integration:
This bug (1223880) was mentioned in
https://build.opensuse.org/request/show/1174144 Backports:SLE-15-SP6 / python3-tqdm