909780 – (CVE-2023-35934) <net-misc/yt-dlp-2023.07.06: cookie leak vulnerability (CVE-2023-35934)

Bug 909780 (CVE-2023-35934) - <net-misc/yt-dlp-2023.07.06: cookie leak vulnerability (CVE-2023-35934)

Summary: <net-misc/yt-dlp-2023.07.06: cookie leak vulnerability (CVE-2023-35934)

Status:	CONFIRMED

Alias:	CVE-2023-35934

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	https://github.com/yt-dlp/yt-dlp/secu...
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2023-07-06 21:24 UTC by Ionen Wolkens
Modified:	2023-07-06 21:29 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ionen Wolkens gentoo-dev

2023-07-06 21:24:16 UTC

> During file downloads, yt-dlp or the external downloaders that
> yt-dlp employs may leak cookies on HTTP redirects to a different
> host, or leak them when the host for download fragments differs
> from their parent manifest's host.
> 
> This vulnerable behavior is present in all versions of youtube-dl,
> youtube-dlc and yt-dlp released since 2015.01.25. All native and
> external downloaders are affected, except for curl and httpie
> (httpie version 3.1.0 or later).
Summary already <Ver given bump+stable+cleanup getting pushed in a minute, typical for this package to get stabled quickly or sometimes immediately either way.

Comment 1 Larry the Git Cow gentoo-dev

2023-07-06 21:29:39 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b4961e69bb42ea7aed35e7bdbd09b618c880e3a4

commit b4961e69bb42ea7aed35e7bdbd09b618c880e3a4
Author:     Ionen Wolkens <ionen@gentoo.org>
AuthorDate: 2023-07-06 21:06:28 +0000
Commit:     Ionen Wolkens <ionen@gentoo.org>
CommitDate: 2023-07-06 21:28:36 +0000

    net-misc/yt-dlp: drop vulnerable <=2023.07.06
    
    Bug: https://bugs.gentoo.org/909780
    Signed-off-by: Ionen Wolkens <ionen@gentoo.org>

 net-misc/yt-dlp/Manifest                 |  3 --
 net-misc/yt-dlp/yt-dlp-2023.03.04.ebuild | 66 --------------------------------
 net-misc/yt-dlp/yt-dlp-2023.06.21.ebuild | 65 -------------------------------
 net-misc/yt-dlp/yt-dlp-2023.06.22.ebuild | 65 -------------------------------
 4 files changed, 199 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=99ca877a40ce0400c0c1a931c9385e564d2d6c15

commit 99ca877a40ce0400c0c1a931c9385e564d2d6c15
Author:     Ionen Wolkens <ionen@gentoo.org>
AuthorDate: 2023-07-06 21:05:14 +0000
Commit:     Ionen Wolkens <ionen@gentoo.org>
CommitDate: 2023-07-06 21:28:36 +0000

    net-misc/yt-dlp: stabilize 2023.07.06 for ALLARCHES
    
    Little reason to wait when there's notable fixes for this
    package, in this case security wrt bug #909780 and twitter
    access without login among other things.
    
    Bug: https://bugs.gentoo.org/909780
    Signed-off-by: Ionen Wolkens <ionen@gentoo.org>

 net-misc/yt-dlp/yt-dlp-2023.07.06.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f733fa77868c25a3eea687648ae13621d304d36c

commit f733fa77868c25a3eea687648ae13621d304d36c
Author:     Ionen Wolkens <ionen@gentoo.org>
AuthorDate: 2023-07-06 21:04:41 +0000
Commit:     Ionen Wolkens <ionen@gentoo.org>
CommitDate: 2023-07-06 21:28:36 +0000

    net-misc/yt-dlp: add 2023.07.06
    
    Bug: https://bugs.gentoo.org/909780
    Signed-off-by: Ionen Wolkens <ionen@gentoo.org>

 net-misc/yt-dlp/Manifest                 |  1 +
 net-misc/yt-dlp/yt-dlp-2023.07.06.ebuild | 65 ++++++++++++++++++++++++++++++++
 2 files changed, 66 insertions(+)