Login
Newsletter
Werbung
Sicherheit: Ausführen beliebiger Kommandos in tqdm
Aktuelle Meldungen Distributionen
Name: Ausführen beliebiger Kommandos in tqdm
ID: USN-7216-1
Distribution: Ubuntu
Plattformen: Ubuntu 22.04 LTS, Ubuntu 24.04 LTS
Datum: Fr, 17. Januar 2025, 06:39
Referenzen: https://www.cve.org/CVERecord?id=CVE-2024-34062
Applikationen: tqdm

Originalnachricht

 
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--===============4407154467652576345==
Content-Language: en-US
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature";
 boundary="------------HzBwZJVTh5ycNmCgykr9vi5u"

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--------------HzBwZJVTh5ycNmCgykr9vi5u
Content-Type: multipart/mixed;
 boundary="------------hLo0lCDqnG40fDTwHSylUSMP";
 protected-headers="v1"
From: Nico Campuzano <nicolas.campuzano@canonical.com>
Reply-To: Ubuntu Security <security@ubuntu.com>
To: ubuntu-security-announce@lists.ubuntu.com
Message-ID: <3cb6ffb6-e6a1-487c-adb7-e205b817704a@canonical.com>
Subject: [USN-7216-1] tqdm vulnerability

--------------hLo0lCDqnG40fDTwHSylUSMP
Content-Type: multipart/mixed;
 boundary="------------gss0OFEDQ850WwMKXnLy0GAX"

--------------gss0OFEDQ850WwMKXnLy0GAX
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: base64

==========================================================================
Ubuntu Security Notice USN-7216-1
January 16, 2025

tqdm vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS

Summary:

tqdm could be made to crash or to allow arbitary code execution if it
received specially crafted input.

Software Description:
- tqdm: fast, extensible progress bar for Python 3 and CLI tool

Details:

It was discovered that tqdm did not properly sanitize non-boolean CLI
Arguments. A local attacker could possibly use this issue to execute
arbitrary code on the host. This issue only affected Ubuntu 22.04 LTS and
Ubuntu 24.04 LTS. (CVE-2024-34062)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.04 LTS
   python3-tqdm                    4.66.2-2ubuntu0.1~esm1
                                   Available with Ubuntu Pro

Ubuntu 22.04 LTS
   python3-tqdm                    4.57.0-2ubuntu0.1~esm2
                                   Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
   https://ubuntu.com/security/notices/USN-7216-1
   CVE-2024-34062

--------------gss0OFEDQ850WwMKXnLy0GAX
Content-Type: application/pgp-keys;
 name="OpenPGP_0x945CCA55E4D641EE.asc"
Content-Disposition: attachment;
 filename="OpenPGP_0x945CCA55E4D641EE.asc"
Content-Description: OpenPGP public key
Content-Transfer-Encoding: quoted-printable

-----BEGIN PGP PUBLIC KEY BLOCK-----

xsFNBGczyMYBEADYxpX1o2OlzXE8GH0zFPOaJzN2NiNWihzpruUagrv+K0iOkVrk
L2cZwyPS0LXr6ztuhey6UBt29e3gqmip0a6qsL9fSdpunElPu2pCf1hZjazOWYEd
flenRp7gkvUz5xYypcXG3MpP5pfgOm8oRxXJE4yGuwsS/YsAd0XFfUEZCQZZiEpW
cbo46e+EZocrnb1aDCzxyPhvlgYdEHfIsnthcBa9JRTgJfyEulba7mpu89NLTvE/
T4J9QTWrDfb8VAw5JOoMZTbP7S4Ve4NEnoXY5Tbh94JSQgn3p7RnYDbRy0hiXBZr
BuzTU/Hd7Ogydg6vGCqs0AT2CoZXNwbiKXeg+08TQJkMLn91hTPyqcORPq8+ojuR
y8uKb713n68ko7ZdxXV1J+JNE+wgFMW1uWwuQTLXP/w1FUtOGOTT/PRtcKs2dNAh
IDF0TBcbTzfiCYsjAp/KlJMhFlWePg3Fq2KiXY0AEpcFVy/MgpdSVlMzgCVtmUCf
J6oAI+so1QJ8sUaH/byXvrRSN3CEnlecwBmUFGSzFWj25NUP4HaVdengzudxBTPJ
IyZx8kYtnwPRAMu1s4aa7eQ3iOA8NlU0YTccBdfnyvu8xd7zVd6U/dMeoBdpoH6O
C6SBJhboGrplZQVmclAGufB5HEroQzgcQejWTZShArMOtud0fEbW0GY5MwARAQAB
zTtOaWNvbGFzIENhbXB1emFubyBKaW1lbmV6IDxuaWNvbGFzLmNhbXB1emFub0Bj
YW5vbmljYWwuY29tPsLBkQQTAQoAOxYhBCpdQmj56NkMuPwFPJRcylXk1kHuBQJn
M8jGAhsDBQsJCAcCAiICBhUKCQgLAgQWAgMBAh4HAheAAAoJEJRcylXk1kHuPBEQ
AK4SCs6z7l9RepNkOMa0UyEMpRqbPg2ozNPovttTOa1o0fsZP55/zoRO0JWrDtYN
/ANpXoHn7hUrvmWNicN8NYosk7jfcojgcg+awQf9Y7+bWshaq01MbXnXjjbadpsK
S4+6iJvD0R4Yb6dUtc4eTujCIdyUz62dvv8eL1Mv9fnPDDb44VVtBDb1G5CQHC3c
TFZanIaUvVkxtvK3YW5DmoJCxgsX3IYI/uNRsW5PiVYZVIST+yWNtkavyty3EhgR
qozDd+4TWi07DqJ5ZGeTvUboZLPhWWaflUc+BXzrcZl8EIbZxFrL4xZBeXyMYgKE
Pti1dkbhuosiRHevxWb4pQucnBKsmA1l0JcVLba2Czl3d7pilATM3qjBhmXe4+cC
jaBbWFsA2emLZArcI+nUywsUlgrgjDyn4EKBoMutxe9Z+NDahe9fgW06wjkY9NhY
OdlOMvSvFvJsYbl9oTnCOaQ+LGi7p47hqROnVV677AMnDlXERMd6vDb8OKakuiqz
6aQ66UoU9x91lqBZUSQ1LOvGqvnCVgADGgnYBzZD4oqrirB8Uq0WLr/Inw+IHzOu
4+e2uHnd17YezkbU1KvGjjVbUMaG/ZIFSf9CSj7dCBBV/zHncXSmPYZoY+4HZvGh
loUChaXBw4zLabvP4Y1+UovLBxHx7lINJUmhOnSD05XozsFNBGczyMYBEADZarOS
9ZAF00Q6uC+onnCCI7wEomVA1nopEmLXq6bqvYgoZP6VH9WGgd/N+coozYkVUT0w
ZlhkLQrwYlipWYhkxJlLSmLaM+hCMTwj6MTF+GFpR5a1Wh0uflBZDR2Y+4aqx1pU
bG6Xhhga3g5WBmQLrfisnOONbG0Xy8ngV1p4FbVez3iFyPxCSDq9Lf78HlR0HpGR
NYkQcXBBnQ19iQAJN0+EUIwONNhytRcmnp4MpfdIFbefvF/JjYy7rpmpe8QaRT/d
+QFZPVtCVfxwoxnz9nj3Ju3PneGJglAAnc/SyKxM4tXu+7U2zX4g9NxOT03sqVjl
gGk/PhLZspjsZxsuuGi5+LBiZ97OGesd8vuOD4LGOhj05beIHuZ8Svt34EdTvyJz
3Pcz+CCbqPdX6ZRUszlPr1VLSgA2vr4UhMrmvK4vRC5HoLygbSvIQzqRPPmgiXCs
+0G9GnmgOJtVwAfL4s7bmOwKBKeiEWAm+uyVKmJ8bRVFIxKnua6J+Ph0H47qvX0C
bi81EY9XAIXyzdYFM3oboXXdFDDFX/OwPJAatbxJVZiYwChX/pj/pT3aThLhW1y5
zBP7V+4GG19q7AMUjsR+h7z46+v8+8NMHyx9fwEniscrP9txVPqrhqM/mqpplGTo
FBvdnbhn5lLEUFokPnOM/uMVHB4ZZkLmygLqwQARAQABwsF2BBgBCgAgFiEEKl1C
aPno2Qy4/AU8lFzKVeTWQe4FAmczyMYCGwwACgkQlFzKVeTWQe5UQBAAi4eG6e4G
w5vLcDki2FVqah08xE5XJTAFg8Zc9dXrG/j2DD2FiPe+LMabiSQ93ZGxePIehSOx
QmDdGsE1lYlWL2NdNDoPZkHMIGH5EgcxUyEIY8zTVKxO6WGsMY1B3el8aoWzdPST
u+jjW6gBcuN3e3h9FKFz2eXRVGiD0YKGQo5WxJkRjjNWr8C9QUZmtI88Q/HRnV9j
grTj/pHHQlqkfM8P97vSc+YhVeprRD3Jtz/zZHUQG2tWiWsH8XHz6/WD3FoQIJY+
gKxsxGPw3hRVNrdJrYihs0M3IJm1BRX19eYyo5kO6AMhPsdUHgG+IZeVEpVFmRkm
NZOzj0PjBdTs3D7i8zAOyW/wFZsqVz/zwY9snryTZI2IkdMzUQBoeL7pDJDgJVoq
YJMXQmUS53PrgNLWM1W+Nli28NNfCgQyX5u5/N7Dy9FfqjN5+Uc7jP1mfYp5W66a
4xrRjLvACn65hi9a0B1jfDLpS96Yh4DgZRaqp9yiYxcwfHcWonyluyysvv7qExkI
bOwO4WVIygmoutFeJJh3JnhIZ+lnxBBQxdzTy7KwhzNgqKgE3rDMtUfq+Rym0yjM
ReWdD/tRjKzJJWldXY681rlnEc7ELBRV25NckO68njNjeBG16D9IZJe5nVYP/ud7
3L0Qt9MsQJBHumRxTZ7yqg6740Pi8AVhXl0=3D
=3D1C3W
-----END PGP PUBLIC KEY BLOCK-----

--------------gss0OFEDQ850WwMKXnLy0GAX--

--------------hLo0lCDqnG40fDTwHSylUSMP--

--------------HzBwZJVTh5ycNmCgykr9vi5u
Content-Type: application/pgp-signature; name="OpenPGP_signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="OpenPGP_signature.asc"

-----BEGIN PGP SIGNATURE-----

wsF5BAABCAAjFiEEKl1CaPno2Qy4/AU8lFzKVeTWQe4FAmeJlgcFAwAAAAAACgkQlFzKVeTWQe4S
Zg//byrgwK4jwH+lhVjLC1ChuJuQLlT4tkjxDcl6ld1/inYXYNyTvbWyCiCP8Yjil1lr38QA/Row
GBGdGztmeCy/KNTb1cVMkZTdRUeDMCAef4WKeGuoHiHJ+W0BUvI2w4AwU0M/tX1LCYGhI8aVCgCk
WAA4ByWToExUXOonSKPoRYvbla/RHaqJKQ6P2Y/zDEjLoBIsTWmvLQpnOaRpdKQdnAknts8SxkjP
kfUs9GfnUTgWxJWbjomkqF5jnve467I8TrVBmQv6zJZzuOzq9VQUT7oyQnoW/jCiq4rdNJzeE2Wj
SGza0TmcNPeTAKioRuRR3kaxP5bGx9E2Sj2nqO624pfsQtBcUtMaTYIjHAhy900kluwz3yDr+s6s
64f6yDiNCO0eyHeTJFvWIW1bZPbVNEqefz4vbPmOmTw5GPJIOBJv9NhEnWxEpwVxEamxSga8qWg2
J82Vrygjt52rQUBKD9Zl0r6Xn3mwA99TmBSN2hb1CsJiEE0NqCSGzBCTYDQeEChjP82jUU6Hy14e
nY7WeT9oGC8Ftxna0x3ZQsAfcKevw82Z8U3HhTfRRw63j6Mx/6C44UAeDXCNQ7xe4u2AYdrWTJTa
tA7Z/6+LfAwFJ6AmevseqVRJ0mS4BoIy3y+x0BoHByHwMI0hxLz9oCKuv4oqXxmRhCGq9LEQIs4g
qsM=
=2kpZ
-----END PGP SIGNATURE-----

--------------HzBwZJVTh5ycNmCgykr9vi5u--


--===============4407154467652576345==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: inline

Cg==

--===============4407154467652576345==--
Pro-Linux
Pro-Linux @Facebook
Neue Nachrichten

141
Mach­t's gut!

51
Neue Raspber­ry Pi-Va­ri­an­te mit 8 GB RAM

0
Genode 20.05 frei­ge­ge­ben

9
Sub­ver­si­on 1.14.0-LTS vor­ge­stellt

0
»Hum­ble Ci­ties: Sky­lines Bund­le« vor­ge­stellt

0
End of Life für Co­reOS Con­tai­ner Linux ver­kün­det

32
Elek­tra 0.9.2 er­schie­nen

8
Nex­tDNS ver­lässt die Be­ta-Pha­se

23
Tu­xe­do stellt Ga­mer-Note­book vor

0
Libre Gra­phics Mee­ting be­ginnt als On­li­ne-Va­ri­an­te
 
Werbung