Details: https://nvd.nist.gov/vuln/detail/CVE-2024-34062
Pick the patch mentioned by the NVD advisory. Signed-off-by: Gyorgy Sarvari <[email protected]> --- .../python/python3-tqdm/CVE-2024-34062.patch | 64 +++++++++++++++++++ .../python/python3-tqdm_4.64.0.bb | 1 + 2 files changed, 65 insertions(+) create mode 100644 meta-python/recipes-devtools/python/python3-tqdm/CVE-2024-34062.patch diff --git a/meta-python/recipes-devtools/python/python3-tqdm/CVE-2024-34062.patch b/meta-python/recipes-devtools/python/python3-tqdm/CVE-2024-34062.patch new file mode 100644 index 0000000000..a4aaf6248b --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-tqdm/CVE-2024-34062.patch @@ -0,0 +1,64 @@ +From 35f8daf26d28950aa44a763f19a13c6ee133ff6c Mon Sep 17 00:00:00 2001 +From: Casper da Costa-Luis <[email protected]> +Date: Wed, 1 May 2024 14:56:01 +0100 +Subject: [PATCH] cli: eval safety + +- fixes GHSA-g7vv-2v7x-gj9p + +CVE: CVE-2024-34062 +Upstream-Status: Backport [https://github.com/tqdm/tqdm/commit/4e613f84ed2ae029559f539464df83fa91feb316] +Signed-off-by: Gyorgy Sarvari <[email protected]> +--- + tqdm/cli.py | 33 ++++++++++++++++++++++----------- + 1 file changed, 22 insertions(+), 11 deletions(-) + +diff --git a/tqdm/cli.py b/tqdm/cli.py +index 3ed25fb..e4f587b 100644 +--- a/tqdm/cli.py ++++ b/tqdm/cli.py +@@ -21,23 +21,34 @@ def cast(val, typ): + return cast(val, t) + except TqdmTypeError: + pass +- raise TqdmTypeError(val + ' : ' + typ) ++ raise TqdmTypeError(f"{val} : {typ}") + + # sys.stderr.write('\ndebug | `val:type`: `' + val + ':' + typ + '`.\n') + if typ == 'bool': + if (val == 'True') or (val == ''): + return True +- elif val == 'False': ++ if val == 'False': + return False +- else: +- raise TqdmTypeError(val + ' : ' + typ) +- try: +- return eval(typ + '("' + val + '")') +- except Exception: +- if typ == 'chr': +- return chr(ord(eval('"' + val + '"'))).encode() +- else: +- raise TqdmTypeError(val + ' : ' + typ) ++ raise TqdmTypeError(val + ' : ' + typ) ++ if typ == 'chr': ++ if len(val) == 1: ++ return val.encode() ++ if re.match(r"^\\\w+$", val): ++ return eval(f'"{val}"').encode() ++ raise TqdmTypeError(f"{val} : {typ}") ++ if typ == 'str': ++ return val ++ if typ == 'int': ++ try: ++ return int(val) ++ except ValueError as exc: ++ raise TqdmTypeError(f"{val} : {typ}") from exc ++ if typ == 'float': ++ try: ++ return float(val) ++ except ValueError as exc: ++ raise TqdmTypeError(f"{val} : {typ}") from exc ++ raise TqdmTypeError(f"{val} : {typ}") + + + def posix_pipe(fin, fout, delim=b'\\n', buf_size=256, diff --git a/meta-python/recipes-devtools/python/python3-tqdm_4.64.0.bb b/meta-python/recipes-devtools/python/python3-tqdm_4.64.0.bb index 3cb45f1a6e..5533b34d25 100644 --- a/meta-python/recipes-devtools/python/python3-tqdm_4.64.0.bb +++ b/meta-python/recipes-devtools/python/python3-tqdm_4.64.0.bb @@ -5,6 +5,7 @@ SECTION = "devel/python" LICENSE = "MIT & MPL-2.0" LIC_FILES_CHKSUM = "file://LICENCE;md5=1672e2674934fd93a31c09cf17f34100" +SRC_URI += "file://CVE-2024-34062.patch" SRC_URI[sha256sum] = "40be55d30e200777a307a7585aee69e4eabb46b4ec6a4b4a5f2d9f11e7d5408d" inherit pypi python_setuptools_build_meta
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#123252): https://lists.openembedded.org/g/openembedded-devel/message/123252 Mute This Topic: https://lists.openembedded.org/mt/117149089/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
