Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 935316 (CVE-2024-38519) - <net-misc/yt-dlp-2024.07.01: File system modification and RCE through improper file-extension sanitization (CVE-2024-38519)
Summary: <net-misc/yt-dlp-2024.07.01: File system modification and RCE through imprope...
Status: RESOLVED FIXED
Alias: CVE-2024-38519
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://github.com/yt-dlp/yt-dlp/secu...
Whiteboard: B2 [glsa+]
Keywords:
Depends on:
Blocks:
 
Reported: 2024-07-02 01:55 UTC by Ionen Wolkens
Modified: 2024-09-28 07:41 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ionen Wolkens gentoo-dev 2024-07-02 01:55:20 UTC 
Fixed version already in-tree+stable, and old was removed.

CVE-2024-38519:
yt-dlp does not limit the extensions of downloaded files, which could lead to arbitrary filenames being created in the download folder (and path traversal on Windows). Since yt-dlp also reads config from the working directory (and on Windows executables will be executed from the yt-dlp directory) this could lead to arbitrary code being executed.
Comment 1 Ionen Wolkens gentoo-dev 2024-07-02 03:47:50 UTC 
I get the impression the impact of this issue is lower on Linux than on Windows (aka no RCE) if I read this right.
Comment 2 Hans de Graaff gentoo-dev Security 2024-07-03 05:22:34 UTC 
(In reply to Ionen Wolkens from comment #1)
> I get the impression the impact of this issue is lower on Linux than on
> Windows (aka no RCE) if I read this right.

I don't think so, since there is also a vector where a config file with an "--exec" option is dropped. This would limit the attack to only running code already on the system, I think, but that still opens up enough possibilities.
Comment 3 Ionen Wolkens gentoo-dev 2024-07-03 06:44:29 UTC 
(In reply to Hans de Graaff from comment #2)
> (In reply to Ionen Wolkens from comment #1)
> > I get the impression the impact of this issue is lower on Linux than on
> > Windows (aka no RCE) if I read this right.
> 
> I don't think so, since there is also a vector where a config file with an
> "--exec" option is dropped. This would limit the attack to only running code
> already on the system, I think, but that still opens up enough possibilities.
Sounds right, thanks.
Comment 4 Larry the Git Cow gentoo-dev 2024-09-28 07:39:47 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=4ab000f476fab4cc4330333d07bcbee73a37baca

commit 4ab000f476fab4cc4330333d07bcbee73a37baca
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-09-28 07:39:28 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-09-28 07:39:43 +0000

    [ GLSA 202409-30 ] yt-dlp: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/909780
    Bug: https://bugs.gentoo.org/917355
    Bug: https://bugs.gentoo.org/935316
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202409-30.xml | 46 ++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 46 insertions(+)