CVE-2024-34062

Question

CVE-2024-34062

eugrin opened this issue 5 months ago · 0 comments

Description

Impact
Any optional non-boolean CLI arguments (e.g. --delim, --buf-size, --manpath) are passed through python's eval, allowing arbitrary code execution. Example:

python -m tqdm --manpath="" + str(exec("import os\nos.system('echo hi && killall python3')")) + ""
Patches
tqdm/tqdm@4e613f8 released in tqdm>=4.66.3

Workarounds
None

References
https://github.com/tqdm/tqdm/releases/tag/v4.66.3

Recommendation
Upgrade tqdm from 4.66.1 to 4.66.3 to fix the vulnerability.

Reproduction steps

NA

Expected vs. actual results

NA

Minimal code example

No response

Error messages

No response

Compiler and operating system

Not related to compiler

Library version

4.66.1

Validation

The bug also occurs if the latest version from the develop branch is used.
I can successfully compile and run the unit tests.