Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

tqdm: CVE-2024-34062

Related Vulnerabilities: CVE-2024-34062  

Source

Debian Bug report logs - #1070372
tqdm: CVE-2024-34062

version graph

Package: src:tqdm; Maintainer for src:tqdm is Daniel Baumann <daniel.baumann@progress-linux.org>;

Reported by: Moritz Mühlenhoff <jmm@inutil.org>

Date: Sat, 4 May 2024 15:57:06 UTC

Severity: important

Tags: security, upstream

Found in version tqdm/4.66.2-3

Fixed in version tqdm/4.66.4-1

Done: Daniel Baumann <daniel.baumann@progress-linux.org>

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, Daniel Baumann <daniel.baumann@progress-linux.org>:
Bug#1070372; Package src:tqdm. (Sat, 04 May 2024 15:57:08 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Mühlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Daniel Baumann <daniel.baumann@progress-linux.org>. (Sat, 04 May 2024 15:57:08 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>
To: submit@bugs.debian.org
Subject: tqdm: CVE-2024-34062
Date: Sat, 4 May 2024 17:55:49 +0200
Source: tqdm
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerability was published for tqdm.

CVE-2024-34062[0]:
| tqdm is an open source progress bar for Python and CLI. Any optional
| non-boolean CLI arguments (e.g. `--delim`, `--buf-size`,
| `--manpath`) are passed through python's `eval`, allowing arbitrary
| code execution. This issue is only locally exploitable and had been
| addressed in release version 4.66.3. All users are advised to
| upgrade. There are no known workarounds for this vulnerability.

https://github.com/tqdm/tqdm/security/advisories/GHSA-g7vv-2v7x-gj9p
Fixed by: https://github.com/tqdm/tqdm/commit/b53348c73080b4edeb30b4823d1fa0d8d2c06721 (v4.66.3)


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-34062
    https://www.cve.org/CVERecord?id=CVE-2024-34062

Please adjust the affected versions in the BTS as needed.

Reply sent to Daniel Baumann <daniel.baumann@progress-linux.org>:
You have taken responsibility. (Sat, 04 May 2024 16:27:02 GMT) (full text, mbox, link).

Notification sent to Moritz Mühlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. (Sat, 04 May 2024 16:27:03 GMT) (full text, mbox, link).

Message #10 received at 1070372-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 1070372-close@bugs.debian.org
Subject: Bug#1070372: fixed in tqdm 4.66.4-1
Date: Sat, 04 May 2024 16:22:34 +0000
[Message part 1 (text/plain, inline)]
Source: tqdm
Source-Version: 4.66.4-1
Done: Daniel Baumann <daniel.baumann@progress-linux.org>

We believe that the bug you reported is fixed in the latest version of
tqdm, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1070372@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Daniel Baumann <daniel.baumann@progress-linux.org> (supplier of updated tqdm package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 04 May 2024 18:02:53 +0200
Source: tqdm
Architecture: source
Version: 4.66.4-1
Distribution: sid
Urgency: medium
Maintainer: Daniel Baumann <daniel.baumann@progress-linux.org>
Changed-By: Daniel Baumann <daniel.baumann@progress-linux.org>
Closes: 1070372
Changes:
 tqdm (4.66.4-1) sid; urgency=medium
 .
   * Uploading to sid.
   * Merging upstream version 4.66.4:
     - any optional non-boolean CLI arguments are passed through python's eval,
       allowing arbitrary code execution [CVE-2024-34062] (Closes: #1070372).
Checksums-Sha1:
 641c3b99cd0f9b3e28d2c022576abd43d70a6b8b 2171 tqdm_4.66.4-1.dsc
 3aac7611afcdbc5baff1d52bcb9920c801c247df 104308 tqdm_4.66.4.orig.tar.xz
 f1e826f30df04428607af6f9c72df2e7a585a27f 4324 tqdm_4.66.4-1.debian.tar.xz
 47b5c3e2164ccf83a4e63b5b2f2f02d8df3c174b 8599 tqdm_4.66.4-1_amd64.buildinfo
Checksums-Sha256:
 ce107da175505a5724562b8f91985997e9aa168126ecc8b78a863a065339cb76 2171 tqdm_4.66.4-1.dsc
 b5378fb888240bcafa5227f3ea726147c5703c16ab8ac61fc99e73dc3d14b7d3 104308 tqdm_4.66.4.orig.tar.xz
 762c6ecc1ee59baf7b5f5c87bd5578c687cedd24f88a407d0944519ca94094b3 4324 tqdm_4.66.4-1.debian.tar.xz
 f0ac1c8c8a93f03813b03b2b27844732a287e5aa4fcb24baa26632aabd502849 8599 tqdm_4.66.4-1_amd64.buildinfo
Files:
 5af3bbda9405343246225718517c1a27 2171 python optional tqdm_4.66.4-1.dsc
 eeae6b75c493affc41bc131516a7eb7b 104308 python optional tqdm_4.66.4.orig.tar.xz
 bf50523af5393f4ab4b1aea50e81e72b 4324 python optional tqdm_4.66.4-1.debian.tar.xz
 3cb19210b37b944b800e53ab6ba6725e 8599 python optional tqdm_4.66.4-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEgTbtJcfWfpLHSkKSVc8b+YaruccFAmY2XQAACgkQVc8b+Yar
ucfu+A/+LNDqgLVoMdZdlncaDIKGv33Xp10T8ZDGYiXvzMR56gyFmdnAOxot6cD2
HC0Cm7czJoGLWQCJojNDlaM3M3OXoRUvJcKIqMDWML7yNBbPU6Y+9DVsptsF3HXP
dRTAnUyBVGC8Z0VRyVuI5vCP0qpkrzXikGt+2et/bolUDbvdSuM56mectRTVfY85
E0/w628er3i8uKBNY03Fbu/HdJ4vWydqk6Q3mYqtHTqHfVNcNIostvJNb3BlQpve
O/2gZHcPSjmi97R7CrFNQHc9QeW8mXXt/N6xqLFjyh4QPTurbSM5ya1GX3WkubJT
LVj7ZE9ogDw8QspxohD8pMJMwMWEV71rLNsJdMnZE5+3Oz8/WD1VwCkqP+gKBk4D
i5DxOQsD4fjtwBczv1pOWS9jfaLAVHQbnBaFB3MpcqhBgF9p2Z47qxelohQpZ+rS
KmBe630bIZxAQ6uKo8LmG5pC6dr5Acf1lSXESUx0XBYnsxE29Y16J0qmLKyr3SoN
gNmv3deM64b69VpQpE1zVDfSdqByPmWWaaI4r7qsLWk/J0vA+OOLefp2uXrW5znK
BrFBTO9ZrUuqeeHSvETY6oMcE9brzEUykj8cXRUKI4DTVY80a+aRFIQ5W067nUus
KPVtPDgRubSZYGj4TyuYTjiXywj59O4rnB0HDzPeB+Z8ckYbQl8=
=IZCb
-----END PGP SIGNATURE-----


[Message part 2 (application/pgp-signature, inline)]

Added tag(s) upstream. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sat, 04 May 2024 19:30:05 GMT) (full text, mbox, link).

Marked as found in versions tqdm/4.66.2-3. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sat, 04 May 2024 19:30:06 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun May 5 11:55:52 2024; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started