!29 [sync] PR-26: Fix CVE-2024-34062

From: @openeuler-sync-bot Reviewed-by: @cherry530 Signed-off-by: @cherry530
Fix CVE-2024-34062
2024-05-06 02:25:12 +00:00 · 2024-05-06 10:17:20 +08:00 · 2024-02-17 09:07:05 +00:00 · 2024-02-17 15:13:44 +08:00 · 2023-04-07 01:24:17 +00:00 · 2023-04-07 09:06:00 +08:00
4 changed files with 85 additions and 7 deletions
--- a/CVE-2024-34062.patch
+++ b/CVE-2024-34062.patch
@ -0,0 +1,60 @@
+From b53348c73080b4edeb30b4823d1fa0d8d2c06721 Mon Sep 17 00:00:00 2001
+From: Casper da Costa-Luis <tqdm@cdcl.ml>
+Date: Wed, 1 May 2024 14:56:01 +0100
+Subject: [PATCH] cli: eval safety
+
+- fixes GHSA-g7vv-2v7x-gj9p
+---
+ tqdm/cli.py | 33 ++++++++++++++++++++++-----------
+ 1 file changed, 22 insertions(+), 11 deletions(-)
+
+diff --git a/tqdm/cli.py b/tqdm/cli.py
+index 1223d4977..7284f28d5 100644
+--- a/tqdm/cli.py
+++ b/tqdm/cli.py
+@@ -21,23 +21,34 @@ def cast(val, typ):
+                 return cast(val, t)
+             except TqdmTypeError:
+                 pass
+-        raise TqdmTypeError(val + ' : ' + typ)
+        raise TqdmTypeError(f"{val} : {typ}")
+ 
+     # sys.stderr.write('\ndebug | `val:type`: `' + val + ':' + typ + '`.\n')
+     if typ == 'bool':
+         if (val == 'True') or (val == ''):
+             return True
+-        elif val == 'False':
+        if val == 'False':
+             return False
+-        else:
+-            raise TqdmTypeError(val + ' : ' + typ)
+-    try:
+-        return eval(typ + '("' + val + '")')
+-    except Exception:
+-        if typ == 'chr':
+-            return chr(ord(eval('"' + val + '"'))).encode()
+-        else:
+-            raise TqdmTypeError(val + ' : ' + typ)
+        raise TqdmTypeError(val + ' : ' + typ)
+    if typ == 'chr':
+        if len(val) == 1:
+            return val.encode()
+        if re.match(r"^\\\w+$", val):
+            return eval(f'"{val}"').encode()
+        raise TqdmTypeError(f"{val} : {typ}")
+    if typ == 'str':
+        return val
+    if typ == 'int':
+        try:
+            return int(val)
+        except ValueError as exc:
+            raise TqdmTypeError(f"{val} : {typ}") from exc
+    if typ == 'float':
+        try:
+            return float(val)
+        except ValueError as exc:
+            raise TqdmTypeError(f"{val} : {typ}") from exc
+    raise TqdmTypeError(f"{val} : {typ}")
+ 
+ 
+ def posix_pipe(fin, fout, delim=b'\\n', buf_size=256,
--- a/python-tqdm.spec
+++ b/python-tqdm.spec
@ -1,14 +1,17 @@
 %global debug_package %{nil}

 Name:           python-tqdm
-Version:        4.64.0
-Release:        1
+Version:        4.66.2
+Release:        2
 Summary:        A Fast and Extensible Progress Bar for Python and CLI
-License:        MPLv2.0 and MIT
+License:        MPL-2.0 and MIT
 URL:            https://github.com/tqdm/tqdm
-Source0:        https://files.pythonhosted.org/packages/98/2a/838de32e09bd511cf69fe4ae13ffc748ac143449bfc24bb3fd172d53a84f/tqdm-4.64.0.tar.gz
+Source0:        https://files.pythonhosted.org/packages/source/t/tqdm/tqdm-%{version}.tar.gz
+# https://github.com/tqdm/tqdm/commit/b53348c73080b4edeb30b4823d1fa0d8d2c06721
+Patch0:         CVE-2024-34062.patch

 BuildRequires:  python3-devel python3-setuptools gcc python3-toml python3-setuptools_scm
+BuildRequires:  python3-pip  python3-hatchling python3-hatch-vcs python3-wheel

 %description
 tqdm derives from the Arabic word taqaddum which can mean "progress". Instantly 
@ -31,10 +34,10 @@ tqdm(interable), and you are done!
 %autosetup -n tqdm-%{version} -p1

 %build
-%py3_build
+%pyproject_build

 %install
-%py3_install
+%pyproject_install

 mkdir -p %{buildroot}%{_mandir}/man1/
 mv -v %{buildroot}%{python3_sitelib}/tqdm/tqdm.1 %{buildroot}%{_mandir}/man1/
@ -44,7 +47,7 @@ mv -v %{buildroot}%{python3_sitelib}/tqdm/tqdm.1 %{buildroot}%{_mandir}/man1/
 %doc README.rst examples
 %license LICENCE
 %{_bindir}/tqdm
-%{python3_sitelib}/tqdm-*.egg-info/
+%{python3_sitelib}/tqdm-*.dist-info/
 %{python3_sitelib}/tqdm/

 %files help
@ -52,6 +55,21 @@ mv -v %{buildroot}%{python3_sitelib}/tqdm/tqdm.1 %{buildroot}%{_mandir}/man1/
 %{_mandir}/man1/tqdm.1*

 %changelog
+* Mon May 06 2024 yaoxin <yao_xin001@hoperun.com> - 4.66.2-2
+- Fix CVE-2024-34062
+
+* Sat Feb 17 2024 xu_ping <707078654@qq.com> - 4.66.2-1
+- Upgrade package to version 4.66.2
+
+* Thu Apr 6 2023 liyanan <thistleslyn@163.com> - 4.65.0-1
+- Upgrade package to version 4.65.0
+
+* Fri Dec 09 2022 liukuo <liukuo@kylinos.cn> - 4.64.1-2
+- License compliance rectification
+
+* Wed Dec 07 2022 chendexi <chendexi@kylinos.cn> - 4.64.1-1
+- Upgrade package to version 4.64.1
+
 * Wed Aug 3 2022 kkz <zhaoshuang@uniontech.com> - 4.64.0-1
 - Update to 4.64.0

--- a/tqdm-4.64.0.tar.gz
+++ b/tqdm-4.64.0.tar.gz
--- a/tqdm-4.66.2.tar.gz
+++ b/tqdm-4.66.2.tar.gz
Author	SHA1	Message	Date
openeuler-ci-bot	81aa3692ce	!29 [sync] PR-26: Fix CVE-2024-34062 From: @openeuler-sync-bot Reviewed-by: @cherry530 Signed-off-by: @cherry530	2024-05-06 02:25:12 +00:00
starlet-dx	fc7b19c90a	Fix CVE-2024-34062 (cherry picked from commit 51b41c10a2e4d10f56b4b0b5f319a092523a447e)	2024-05-06 10:17:20 +08:00
openeuler-ci-bot	852f346941	!25 Upgrade version to 4.66.2 From: @cherry530 Reviewed-by: @caodongxia Signed-off-by: @caodongxia	2024-02-17 09:07:05 +00:00
cherry530	94a2638554	Upgrade version to 4.66.2 Signed-off-by: cherry530 <707078654@qq.com>	2024-02-17 15:13:44 +08:00
openeuler-ci-bot	e62ab1d1c3	!23 Upgrade package to version 4.65.0 From: @lyn1001 Reviewed-by: @cherry530 Signed-off-by: @cherry530	2023-04-07 01:24:17 +00:00
lyn1001	a3daf6accf	Upgrade package to version 4.65.0	2023-04-07 09:06:00 +08:00
openeuler-ci-bot	cd823e28b6	!22 Modify compliance irregularities From: @lauk001 Reviewed-by: @shinwell_hu Signed-off-by: @shinwell_hu	2022-12-19 12:46:31 +00:00
lauk001	45a31c41c6	Modify compliance irregularities	2022-12-09 11:05:18 +08:00
openeuler-ci-bot	9240c41ecd	!21 Upgrade package to version 4.64.1 From: @ccdxx Reviewed-by: @yangzhao_kl Signed-off-by: @yangzhao_kl	2022-12-08 08:26:43 +00:00
chendexi	4bb1f43d65	Upgrade package to version 4.64.1	2022-12-07 15:27:34 +08:00