CVE-2024-34062

NameCVE-2024-34062
Descriptiontqdm is an open source progress bar for Python and CLI. Any optional non-boolean CLI arguments (e.g. `--delim`, `--buf-size`, `--manpath`) are passed through python's `eval`, allowing arbitrary code execution. This issue is only locally exploitable and had been addressed in release version 4.66.3. All users are advised to upgrade. There are no known workarounds for this vulnerability.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1070372

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
tqdm (PTS)bullseye4.57.0-2vulnerable
bookworm4.64.1-1vulnerable
sid, trixie4.67.1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
tqdmsource(unstable)4.66.4-11070372

Notes

[bookworm] - tqdm <no-dsa> (Minor issue)
[bullseye] - tqdm <no-dsa> (Minor issue)
[buster] - tqdm <postponed> (Minor issue)
https://github.com/tqdm/tqdm/security/advisories/GHSA-g7vv-2v7x-gj9p
Fixed by: https://github.com/tqdm/tqdm/commit/b53348c73080b4edeb30b4823d1fa0d8d2c06721 (v4.66.3)

Search for package or bug name: Reporting problems