CVE-2024-34062

Name	CVE-2024-34062
Description	tqdm is an open source progress bar for Python and CLI. Any optional non-boolean CLI arguments (e.g. `--delim`, `--buf-size`, `--manpath`) are passed through python's `eval`, allowing arbitrary code execution. This issue is only locally exploitable and had been addressed in release version 4.66.3. All users are advised to upgrade. There are no known workarounds for this vulnerability.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs	1070372

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
tqdm (PTS)	bullseye	4.57.0-2	vulnerable
	bookworm	4.64.1-1	vulnerable
	sid, trixie	4.67.0-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
tqdm	source	(unstable)	4.66.4-1			1070372

Notes

[bookworm] - tqdm <no-dsa> (Minor issue)
[bullseye] - tqdm <no-dsa> (Minor issue)
[buster] - tqdm <postponed> (Minor issue)
https://github.com/tqdm/tqdm/security/advisories/GHSA-g7vv-2v7x-gj9p
Fixed by: https://github.com/tqdm/tqdm/commit/b53348c73080b4edeb30b4823d1fa0d8d2c06721 (v4.66.3)