tqdm: Arbitrary code execution — GLSA 201807-01

A vulnerability in tqdm could allow remote attackers to execute arbitrary code.

Affected Packages

dev-python/tqdm on all architectures
Affected versions < 4.23.3
Unaffected versions >= 4.23.3

Background

tqdm is a smart progress meter.

Description

A vulnerablility was discovered in tqdm._version that could allow a malicious git log within the current working directory.

Impact

A remote attacker could execute arbitrary commands by enticing a user to clone a crafted repo.

Workaround

There is no known workaround at this time.

Resolution

All tqdm users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=dev-python/tqdm-4.23.3"
 

References

Release Date
July 18, 2018

Latest Revision
July 18, 2018: 1

Severity
normal

Exploitable
remote

Bugzilla entries