Bug 1223880 (CVE-2024-34062) - VUL-0: CVE-2024-34062: python-tqdm,python3-tqdm: CLI argument injection attack
Summary: VUL-0: CVE-2024-34062: python-tqdm,python3-tqdm: CLI argument injection attack
Status: IN_PROGRESS
Alias: CVE-2024-34062
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/404258/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-34062:6.1:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2024-05-03 16:03 UTC by SMASH SMASH
Modified: 2024-07-09 11:50 UTC (History)
6 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description SMASH SMASH 2024-05-03 16:03:04 UTC 
tqdm is an open source progress bar for Python and CLI. Any optional non-boolean CLI arguments (e.g. `--delim`, `--buf-size`, `--manpath`) are passed through python's `eval`, allowing arbitrary code execution. This issue is only locally exploitable and had been addressed in release version 4.66.3. All users are advised to upgrade. There are no known workarounds for this vulnerability.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-34062
https://www.cve.org/CVERecord?id=CVE-2024-34062
https://github.com/tqdm/tqdm/commit/4e613f84ed2ae029559f539464df83fa91feb316
https://github.com/tqdm/tqdm/security/advisories/GHSA-g7vv-2v7x-gj9p
Comment 1 Carlos López 2024-05-03 16:06:07 UTC 
We have:
 - openSUSE:Backports:SLE-15-SP6/python3-tqdm  4.45.0
 - openSUSE:Backports:SLE-15-SP5/python-tqdm   4.45.0
 - openSUSE:Factory/python-tqdm                4.66.1
 - SUSE:ALP:Source:Standard:1.0/python-tqdm    4.65.0
 - SUSE:SLE-15-SP4:Update/python-tqdm          4.66.1
Comment 2 OBSbugzilla Bot 2024-05-07 02:15:03 UTC 
This is an autogenerated message for OBS integration:
This bug (1223880) was mentioned in
https://build.opensuse.org/request/show/1172287 Factory / python-tqdm
Comment 4 OBSbugzilla Bot 2024-05-14 09:05:03 UTC 
This is an autogenerated message for OBS integration:
This bug (1223880) was mentioned in
https://build.opensuse.org/request/show/1173918 Backports:SLE-15-SP5 / python-tqdm
Comment 5 OBSbugzilla Bot 2024-05-15 08:05:03 UTC 
This is an autogenerated message for OBS integration:
This bug (1223880) was mentioned in
https://build.opensuse.org/request/show/1174144 Backports:SLE-15-SP6 / python3-tqdm