!33 [sync] PR-27: Fix CVE-2024-34062

From: @openeuler-sync-bot Reviewed-by: @cherry530 Signed-off-by: @cherry530
Fix CVE-2024-34062
2024-05-06 03:11:17 +00:00 · 2024-05-06 10:18:33 +08:00 · 2022-11-14 11:12:53 +00:00 · 2022-11-14 11:41:52 +08:00 · 2022-06-23 00:52:15 +00:00 · 2022-06-21 14:14:16 +08:00
4 changed files with 79 additions and 5 deletions
--- a/CVE-2024-34062.patch
+++ b/CVE-2024-34062.patch
@ -0,0 +1,60 @@
 From b53348c73080b4edeb30b4823d1fa0d8d2c06721 Mon Sep 17 00:00:00 2001
 From: Casper da Costa-Luis <tqdm@cdcl.ml>
 Date: Wed, 1 May 2024 14:56:01 +0100
 Subject: [PATCH] cli: eval safety
 - fixes GHSA-g7vv-2v7x-gj9p
 ---
 tqdm/cli.py | 33 ++++++++++++++++++++++-----------
 1 file changed, 22 insertions(+), 11 deletions(-)
 diff --git a/tqdm/cli.py b/tqdm/cli.py
 index 1223d4977..7284f28d5 100644
 --- a/tqdm/cli.py
 +++ b/tqdm/cli.py
@@ -21,23 +21,34 @@ def cast(val, typ):
                 return cast(val, t)
             except TqdmTypeError:
                 pass
 -        raise TqdmTypeError(val + ' : ' + typ)
 +        raise TqdmTypeError(f"{val} : {typ}")
     # sys.stderr.write('\ndebug | `val:type`: `' + val + ':' + typ + '`.\n')
     if typ == 'bool':
         if (val == 'True') or (val == ''):
             return True
 -        elif val == 'False':
 +        if val == 'False':
             return False
 -        else:
 -            raise TqdmTypeError(val + ' : ' + typ)
 -    try:
 -        return eval(typ + '("' + val + '")')
 -    except Exception:
 -        if typ == 'chr':
 -            return chr(ord(eval('"' + val + '"'))).encode()
 -        else:
 -            raise TqdmTypeError(val + ' : ' + typ)
 +        raise TqdmTypeError(val + ' : ' + typ)
 +    if typ == 'chr':
 +        if len(val) == 1:
 +            return val.encode()
 +        if re.match(r"^\\\w+$", val):
 +            return eval(f'"{val}"').encode()
 +        raise TqdmTypeError(f"{val} : {typ}")
 +    if typ == 'str':
 +        return val
 +    if typ == 'int':
 +        try:
 +            return int(val)
 +        except ValueError as exc:
 +            raise TqdmTypeError(f"{val} : {typ}") from exc
 +    if typ == 'float':
 +        try:
 +            return float(val)
 +        except ValueError as exc:
 +            raise TqdmTypeError(f"{val} : {typ}") from exc
 +    raise TqdmTypeError(f"{val} : {typ}")
 def posix_pipe(fin, fout, delim=b'\\n', buf_size=256,
--- a/python-tqdm.spec
+++ b/python-tqdm.spec
@ -1,14 +1,16 @@
 %global debug_package %{nil}
 Name:           python-tqdm
-Version:        4.28.1
+Version:        4.56.0
-Release:        2
+Release:        4
 Summary:        A Fast and Extensible Progress Bar for Python and CLI
 License:        MPLv2.0 and MIT
 URL:            https://github.com/tqdm/tqdm
-Source0:        https://github.com/tqdm/tqdm/archive/v%{version}/tqdm-%{version}.tar.gz
+Source0:        https://files.pythonhosted.org/packages/69/50/9f29874d835945b845812799edc732ba30c41e9d20431f9f69c8ffb9c670/tqdm-%{version}.tar.gz
 # https://github.com/tqdm/tqdm/commit/b53348c73080b4edeb30b4823d1fa0d8d2c06721
 Patch0:         CVE-2024-34062.patch
-BuildRequires:  python3-devel python3-setuptools
+BuildRequires:  python3-devel python3-setuptools gcc python3-toml python3-setuptools_scm
 %description
 tqdm derives from the Arabic word taqaddum which can mean "progress". Instantly 
@ -52,7 +54,19 @@ mv -v %{buildroot}%{python3_sitelib}/tqdm/tqdm.1 %{buildroot}%{_mandir}/man1/
 %{_mandir}/man1/tqdm.1*
 %changelog
-* Thu Mar 28 2020 huanghaitao <huanghaitao8@huawei.com> - 4.28.1-2
+* Mon May 06 2024 yaoxin <yao_xin001@hoperun.com> - 4.56.0-4
 - Fix CVE-2024-34062
 * Mon Nov 14 2022 xu_ping <xuping33@h-partners.com> - 4.56.0-3
 - change source path
 * Thu Jun 24 2021 hanhui <hanhui15@huawei.com> - 4.56.0-2
 - add BuildRequires:gcc python3-toml python3-setuptools_scm
 * Mon Feb 1 2021 chengguipeng <chengguiopeng1@huawei.com> - 4.56.0-1
 - Update to 4.56.0
 * Thu May 28 2020 huanghaitao <huanghaitao8@huawei.com> - 4.28.1-2
 - Remove tests
 * Wed Mar 4 2020 hexiujun <hexiujun1@huawei.com> - 4.28.1-1
--- a/tqdm-4.28.1.tar.gz
+++ b/tqdm-4.28.1.tar.gz
--- a/tqdm-4.56.0.tar.gz
+++ b/tqdm-4.56.0.tar.gz
Author	SHA1	Message	Date
openeuler-ci-bot	6ecfdcea25	!33 [sync] PR-27: Fix CVE-2024-34062 From: @openeuler-sync-bot Reviewed-by: @cherry530 Signed-off-by: @cherry530	2024-05-06 03:11:17 +00:00
starlet-dx	6b52f7a4dc	Fix CVE-2024-34062 (cherry picked from commit 80fbe07ff159941e115868af7eacb977ea0c08c4)	2024-05-06 10:18:33 +08:00
openeuler-ci-bot	4b9f95b781	!20 change source path From: @cherry530 Reviewed-by: @caodongxia Signed-off-by: @caodongxia	2022-11-14 11:12:53 +00:00
cherry530	07a19de8ed	change source path Signed-off-by: cherry530 <xuping33@huawei.com>	2022-11-14 11:41:52 +08:00
openeuler-ci-bot	19a1fea230	!18 [sync] PR-17: 【轻量级PR】修正changelog中的错误日期 From: @openeuler-sync-bot Reviewed-by: @shinwell_hu Signed-off-by: @shinwell_hu	2022-06-23 00:52:15 +00:00
konglidong	abf6508b70	modify bad date in changelog (cherry picked from commit 297ba50885a56ad24eba779da209e3adaaf2bc87)	2022-06-21 14:14:16 +08:00
openeuler-ci-bot	0667176330	!6 add buildrequire gcc python3-toml python3-setuptools_scm From: @shirely16 Reviewed-by: @myeuler Signed-off-by: @myeuler	2021-06-25 04:08:13 +00:00
shirely16	9a01a60f7b	add buildrequire gcc	2021-06-24 17:02:34 +08:00
openeuler-ci-bot	2552ecaae5	!5 python-tqdm:Updateto 4.56.0 From: @chengguipeng_xian Reviewed-by: @small_leek Signed-off-by: @small_leek	2021-02-01 17:46:47 +08:00
chengguipeng	ca1aa157b8	python-tqdm:Updateto 4.56.0 Signed-off-by: chengguipeng <chengguipeng1@huawei.com>	2021-02-01 15:01:23 +08:00