2 files changed, 65 insertions, 0 deletions
diff --git a/meta-python/recipes-devtools/python/python3-tqdm/CVE-2024-34062.patch b/meta-python/recipes-devtools/python/python3-tqdm/CVE-2024-34062.patch
new file mode 100644
index 0000000000..a4aaf6248b
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-tqdm/CVE-2024-34062.patch
@@ -0,0 +1,64 @@
+From 35f8daf26d28950aa44a763f19a13c6ee133ff6c Mon Sep 17 00:00:00 2001
+From: Casper da Costa-Luis <tqdm@cdcl.ml>
+Date: Wed, 1 May 2024 14:56:01 +0100
+Subject: [PATCH] cli: eval safety
+- fixes GHSA-g7vv-2v7x-gj9p
+CVE: CVE-2024-34062
+Upstream-Status: Backport [https://github.com/tqdm/tqdm/commit/4e613f84ed2ae029559f539464df83fa91feb316]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ tqdm/cli.py | 33 ++++++++++++++++++++++-----------
+ 1 file changed, 22 insertions(+), 11 deletions(-)
+diff --git a/tqdm/cli.py b/tqdm/cli.py
+index 3ed25fb..e4f587b 100644
+--- a/tqdm/cli.py
+++ b/tqdm/cli.py
+@@ -21,23 +21,34 @@ def cast(val, typ):
+                 return cast(val, t)
+             except TqdmTypeError:
+                 pass
+-        raise TqdmTypeError(val + ' : ' + typ)
+        raise TqdmTypeError(f"{val} : {typ}")
+ 
+     # sys.stderr.write('\ndebug | `val:type`: `' + val + ':' + typ + '`.\n')
+     if typ == 'bool':
+         if (val == 'True') or (val == ''):
+             return True
+-        elif val == 'False':
+        if val == 'False':
+             return False
+-        else:
+-            raise TqdmTypeError(val + ' : ' + typ)
+-    try:
+-        return eval(typ + '("' + val + '")')
+-    except Exception:
+-        if typ == 'chr':
+-            return chr(ord(eval('"' + val + '"'))).encode()
+-        else:
+-            raise TqdmTypeError(val + ' : ' + typ)
+        raise TqdmTypeError(val + ' : ' + typ)
+    if typ == 'chr':
+        if len(val) == 1:
+            return val.encode()
+        if re.match(r"^\\\w+$", val):
+            return eval(f'"{val}"').encode()
+        raise TqdmTypeError(f"{val} : {typ}")
+    if typ == 'str':
+        return val
+    if typ == 'int':
+        try:
+            return int(val)
+        except ValueError as exc:
+            raise TqdmTypeError(f"{val} : {typ}") from exc
+    if typ == 'float':
+        try:
+            return float(val)
+        except ValueError as exc:
+            raise TqdmTypeError(f"{val} : {typ}") from exc
+    raise TqdmTypeError(f"{val} : {typ}")
+ 
+ 
+ def posix_pipe(fin, fout, delim=b'\\n', buf_size=256,
diff --git a/meta-python/recipes-devtools/python/python3-tqdm_4.64.0.bb b/meta-python/recipes-devtools/python/python3-tqdm_4.64.0.bb
index 3cb45f1a6e..5533b34d25 100644
--- a/meta-python/recipes-devtools/python/python3-tqdm_4.64.0.bb
+++ b/meta-python/recipes-devtools/python/python3-tqdm_4.64.0.bb
@@ -5,6 +5,7 @@ SECTION = "devel/python"
 LICENSE = "MIT & MPL-2.0"
 LIC_FILES_CHKSUM = "file://LICENCE;md5=1672e2674934fd93a31c09cf17f34100"
+SRC_URI += "file://CVE-2024-34062.patch"
 SRC_URI[sha256sum] = "40be55d30e200777a307a7585aee69e4eabb46b4ec6a4b4a5f2d9f11e7d5408d"
 inherit pypi python_setuptools_build_meta

diff --git a/meta-python/recipes-devtools/python/python3-tqdm/CVE-2024-34062.patch b/meta-python/recipes-devtools/python/python3-tqdm/CVE-2024-34062.patch new file mode 100644 index 0000000000..a4aaf6248b --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-tqdm/CVE-2024-34062.patch
@@ -0,0 +1,64 @@
		1	From 35f8daf26d28950aa44a763f19a13c6ee133ff6c Mon Sep 17 00:00:00 2001
		2	From: Casper da Costa-Luis <tqdm@cdcl.ml>
		3	Date: Wed, 1 May 2024 14:56:01 +0100
		4	Subject: [PATCH] cli: eval safety
		5
		6	- fixes GHSA-g7vv-2v7x-gj9p
		7
		8	CVE: CVE-2024-34062
		9	Upstream-Status: Backport [https://github.com/tqdm/tqdm/commit/4e613f84ed2ae029559f539464df83fa91feb316]
		10	Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
		11	---
		12	tqdm/cli.py \| 33 ++++++++++++++++++++++-----------
		13	1 file changed, 22 insertions(+), 11 deletions(-)
		14
		15	diff --git a/tqdm/cli.py b/tqdm/cli.py
		16	index 3ed25fb..e4f587b 100644
		17	--- a/tqdm/cli.py
		18	+++ b/tqdm/cli.py
		19	@@ -21,23 +21,34 @@ def cast(val, typ):
		20	return cast(val, t)
		21	except TqdmTypeError:
		22	pass
		23	- raise TqdmTypeError(val + ' : ' + typ)
		24	+ raise TqdmTypeError(f"{val} : {typ}")
		25
		26	# sys.stderr.write('\ndebug \| `val:type`: `' + val + ':' + typ + '`.\n')
		27	if typ == 'bool':
		28	if (val == 'True') or (val == ''):
		29	return True
		30	- elif val == 'False':
		31	+ if val == 'False':
		32	return False
		33	- else:
		34	- raise TqdmTypeError(val + ' : ' + typ)
		35	- try:
		36	- return eval(typ + '("' + val + '")')
		37	- except Exception:
		38	- if typ == 'chr':
		39	- return chr(ord(eval('"' + val + '"'))).encode()
		40	- else:
		41	- raise TqdmTypeError(val + ' : ' + typ)
		42	+ raise TqdmTypeError(val + ' : ' + typ)
		43	+ if typ == 'chr':
		44	+ if len(val) == 1:
		45	+ return val.encode()
		46	+ if re.match(r"^\\\w+$", val):
		47	+ return eval(f'"{val}"').encode()
		48	+ raise TqdmTypeError(f"{val} : {typ}")
		49	+ if typ == 'str':
		50	+ return val
		51	+ if typ == 'int':
		52	+ try:
		53	+ return int(val)
		54	+ except ValueError as exc:
		55	+ raise TqdmTypeError(f"{val} : {typ}") from exc
		56	+ if typ == 'float':
		57	+ try:
		58	+ return float(val)
		59	+ except ValueError as exc:
		60	+ raise TqdmTypeError(f"{val} : {typ}") from exc
		61	+ raise TqdmTypeError(f"{val} : {typ}")
		62
		63
		64	def posix_pipe(fin, fout, delim=b'\\n', buf_size=256,


diff --git a/meta-python/recipes-devtools/python/python3-tqdm_4.64.0.bb b/meta-python/recipes-devtools/python/python3-tqdm_4.64.0.bb index 3cb45f1a6e..5533b34d25 100644 --- a/meta-python/recipes-devtools/python/python3-tqdm_4.64.0.bb +++ b/meta-python/recipes-devtools/python/python3-tqdm_4.64.0.bb
@@ -5,6 +5,7 @@ SECTION = "devel/python"
5	LICENSE = "MIT & MPL-2.0"	5	LICENSE = "MIT & MPL-2.0"
6	LIC_FILES_CHKSUM = "file://LICENCE;md5=1672e2674934fd93a31c09cf17f34100"	6	LIC_FILES_CHKSUM = "file://LICENCE;md5=1672e2674934fd93a31c09cf17f34100"
7		7
		8	SRC_URI += "file://CVE-2024-34062.patch"
8	SRC_URI[sha256sum] = "40be55d30e200777a307a7585aee69e4eabb46b4ec6a4b4a5f2d9f11e7d5408d"	9	SRC_URI[sha256sum] = "40be55d30e200777a307a7585aee69e4eabb46b4ec6a4b4a5f2d9f11e7d5408d"
9		10
10	inherit pypi python_setuptools_build_meta	11	inherit pypi python_setuptools_build_meta