packages/python-tqdm
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!29 [sync] PR-26: Fix CVE-2024-34062

Browse Source 
From: @openeuler-sync-bot 
Reviewed-by: @cherry530 
Signed-off-by: @cherry530
This commit is contained in:
openeuler-ci-bot 2024-05-06 02:25:12 +00:00 committed by Gitee
commit 81aa3692ce
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 66 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

60
CVE-2024-34062.patch Normal file
View File

@ -0,0 +1,60 @@
From b53348c73080b4edeb30b4823d1fa0d8d2c06721 Mon Sep 17 00:00:00 2001
From: Casper da Costa-Luis <tqdm@cdcl.ml>
Date: Wed, 1 May 2024 14:56:01 +0100
Subject: [PATCH] cli: eval safety
- fixes GHSA-g7vv-2v7x-gj9p
---
tqdm/cli.py | 33 ++++++++++++++++++++++-----------
1 file changed, 22 insertions(+), 11 deletions(-)
diff --git a/tqdm/cli.py b/tqdm/cli.py
index 1223d4977..7284f28d5 100644
--- a/tqdm/cli.py
+++ b/tqdm/cli.py
@@ -21,23 +21,34 @@ def cast(val, typ):
return cast(val, t)
except TqdmTypeError:
pass
- raise TqdmTypeError(val + ' : ' + typ)
+ raise TqdmTypeError(f"{val} : {typ}")
# sys.stderr.write('\ndebug | `val:type`: `' + val + ':' + typ + '`.\n')
if typ == 'bool':
if (val == 'True') or (val == ''):
return True
- elif val == 'False':
+ if val == 'False':
return False
- else:
- raise TqdmTypeError(val + ' : ' + typ)
- try:
- return eval(typ + '("' + val + '")')
- except Exception:
- if typ == 'chr':
- return chr(ord(eval('"' + val + '"'))).encode()
- else:
- raise TqdmTypeError(val + ' : ' + typ)
+ raise TqdmTypeError(val + ' : ' + typ)
+ if typ == 'chr':
+ if len(val) == 1:
+ return val.encode()
+ if re.match(r"^\\\w+$", val):
+ return eval(f'"{val}"').encode()
+ raise TqdmTypeError(f"{val} : {typ}")
+ if typ == 'str':
+ return val
+ if typ == 'int':
+ try:
+ return int(val)
+ except ValueError as exc:
+ raise TqdmTypeError(f"{val} : {typ}") from exc
+ if typ == 'float':
+ try:
+ return float(val)
+ except ValueError as exc:
+ raise TqdmTypeError(f"{val} : {typ}") from exc
+ raise TqdmTypeError(f"{val} : {typ}")
def posix_pipe(fin, fout, delim=b'\\n', buf_size=256,

7
python-tqdm.spec
View File

@ -2,11 +2,13 @@
Name: python-tqdm Name: python-tqdm
Version: 4.66.2 Version: 4.66.2
Release: 1 Release: 2
Summary: A Fast and Extensible Progress Bar for Python and CLI Summary: A Fast and Extensible Progress Bar for Python and CLI
License: MPL-2.0 and MIT License: MPL-2.0 and MIT
URL: https://github.com/tqdm/tqdm URL: https://github.com/tqdm/tqdm
Source0: https://files.pythonhosted.org/packages/source/t/tqdm/tqdm-%{version}.tar.gz Source0: https://files.pythonhosted.org/packages/source/t/tqdm/tqdm-%{version}.tar.gz
# https://github.com/tqdm/tqdm/commit/b53348c73080b4edeb30b4823d1fa0d8d2c06721
Patch0: CVE-2024-34062.patch
BuildRequires: python3-devel python3-setuptools gcc python3-toml python3-setuptools_scm BuildRequires: python3-devel python3-setuptools gcc python3-toml python3-setuptools_scm
BuildRequires: python3-pip python3-hatchling python3-hatch-vcs python3-wheel BuildRequires: python3-pip python3-hatchling python3-hatch-vcs python3-wheel
@ -53,6 +55,9 @@ mv -v %{buildroot}%{python3_sitelib}/tqdm/tqdm.1 %{buildroot}%{_mandir}/man1/
%{_mandir}/man1/tqdm.1* %{_mandir}/man1/tqdm.1*
%changelog %changelog
* Mon May 06 2024 yaoxin <yao_xin001@hoperun.com> - 4.66.2-2
- Fix CVE-2024-34062
* Sat Feb 17 2024 xu_ping <707078654@qq.com> - 4.66.2-1 * Sat Feb 17 2024 xu_ping <707078654@qq.com> - 4.66.2-1
- Upgrade package to version 4.66.2 - Upgrade package to version 4.66.2