917355 – (CVE-2023-46121) <net-misc/yt-dlp-2023.11.14 Generic Extractor MITM Vulnerability via Arbitrary Proxy Injection (CVE-2023-46121)

Bug 917355 (CVE-2023-46121) - <net-misc/yt-dlp-2023.11.14 Generic Extractor MITM Vulnerability via Arbitrary Proxy Injection (CVE-2023-46121)

Summary: <net-misc/yt-dlp-2023.11.14 Generic Extractor MITM Vulnerability via Arbitrar...

Status:	RESOLVED FIXED

Alias:	CVE-2023-46121

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor
Assignee:	Gentoo Security

URL:	https://github.com/yt-dlp/yt-dlp/secu...
Whiteboard:	B4 [glsa+]
Keywords:

Depends on:
Blocks:

Reported:	2023-11-14 23:35 UTC by Ionen Wolkens
Modified:	2024-09-28 07:41 UTC (History)
CC List:	3 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ionen Wolkens gentoo-dev

2023-11-14 23:35:43 UTC

Fixed version already in-tree, pending stable+cleanup.

CVE-2023-46121:
The Generic Extractor in yt-dlp is vulnerable to an attacker setting an arbitrary proxy for a request to an arbitrary url, allowing the attacker to MITM the request made from yt-dlp's HTTP session. This could lead to cookie exfiltration in some cases.

Comment 1 Larry the Git Cow gentoo-dev

2023-11-20 05:12:08 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0523a83f97c3adc1eb9f9ec52a067f4619987593

commit 0523a83f97c3adc1eb9f9ec52a067f4619987593
Author:     Ionen Wolkens <ionen@gentoo.org>
AuthorDate: 2023-11-20 05:10:18 +0000
Commit:     Ionen Wolkens <ionen@gentoo.org>
CommitDate: 2023-11-20 05:10:21 +0000

    net-misc/yt-dlp: drop vulnerable 2023.10.13
    
    Bug: https://bugs.gentoo.org/917355
    Signed-off-by: Ionen Wolkens <ionen@gentoo.org>

 net-misc/yt-dlp/Manifest                 |  1 -
 net-misc/yt-dlp/yt-dlp-2023.10.13.ebuild | 71 --------------------------------
 2 files changed, 72 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f2b752c52071b8b4972d27fb468960cad9b1bf79

commit f2b752c52071b8b4972d27fb468960cad9b1bf79
Author:     Ionen Wolkens <ionen@gentoo.org>
AuthorDate: 2023-11-20 05:09:14 +0000
Commit:     Ionen Wolkens <ionen@gentoo.org>
CommitDate: 2023-11-20 05:09:51 +0000

    net-misc/yt-dlp: stabilize 2023.11.16 ALLARCHES (amd64)
    
    Bug: https://bugs.gentoo.org/917355
    Signed-off-by: Ionen Wolkens <ionen@gentoo.org>

 net-misc/yt-dlp/yt-dlp-2023.11.16.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comment 2 Larry the Git Cow gentoo-dev

2024-09-28 07:39:46 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=4ab000f476fab4cc4330333d07bcbee73a37baca

commit 4ab000f476fab4cc4330333d07bcbee73a37baca
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-09-28 07:39:28 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-09-28 07:39:43 +0000

    [ GLSA 202409-30 ] yt-dlp: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/909780
    Bug: https://bugs.gentoo.org/917355
    Bug: https://bugs.gentoo.org/935316
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202409-30.xml | 46 ++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 46 insertions(+)