| Summary: | <net-misc/yt-dlp-2023.07.06: cookie leak vulnerability (CVE-2023-35934) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Ionen Wolkens <ionen> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | CONFIRMED --- | ||
| Severity: | normal | CC: | ionen, slashbeast |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-v8mc-9377-rwjj | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b4961e69bb42ea7aed35e7bdbd09b618c880e3a4 commit b4961e69bb42ea7aed35e7bdbd09b618c880e3a4 Author: Ionen Wolkens <ionen@gentoo.org> AuthorDate: 2023-07-06 21:06:28 +0000 Commit: Ionen Wolkens <ionen@gentoo.org> CommitDate: 2023-07-06 21:28:36 +0000 net-misc/yt-dlp: drop vulnerable <=2023.07.06 Bug: https://bugs.gentoo.org/909780 Signed-off-by: Ionen Wolkens <ionen@gentoo.org> net-misc/yt-dlp/Manifest | 3 -- net-misc/yt-dlp/yt-dlp-2023.03.04.ebuild | 66 -------------------------------- net-misc/yt-dlp/yt-dlp-2023.06.21.ebuild | 65 ------------------------------- net-misc/yt-dlp/yt-dlp-2023.06.22.ebuild | 65 ------------------------------- 4 files changed, 199 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=99ca877a40ce0400c0c1a931c9385e564d2d6c15 commit 99ca877a40ce0400c0c1a931c9385e564d2d6c15 Author: Ionen Wolkens <ionen@gentoo.org> AuthorDate: 2023-07-06 21:05:14 +0000 Commit: Ionen Wolkens <ionen@gentoo.org> CommitDate: 2023-07-06 21:28:36 +0000 net-misc/yt-dlp: stabilize 2023.07.06 for ALLARCHES Little reason to wait when there's notable fixes for this package, in this case security wrt bug #909780 and twitter access without login among other things. Bug: https://bugs.gentoo.org/909780 Signed-off-by: Ionen Wolkens <ionen@gentoo.org> net-misc/yt-dlp/yt-dlp-2023.07.06.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f733fa77868c25a3eea687648ae13621d304d36c commit f733fa77868c25a3eea687648ae13621d304d36c Author: Ionen Wolkens <ionen@gentoo.org> AuthorDate: 2023-07-06 21:04:41 +0000 Commit: Ionen Wolkens <ionen@gentoo.org> CommitDate: 2023-07-06 21:28:36 +0000 net-misc/yt-dlp: add 2023.07.06 Bug: https://bugs.gentoo.org/909780 Signed-off-by: Ionen Wolkens <ionen@gentoo.org> net-misc/yt-dlp/Manifest | 1 + net-misc/yt-dlp/yt-dlp-2023.07.06.ebuild | 65 ++++++++++++++++++++++++++++++++ 2 files changed, 66 insertions(+) |
> During file downloads, yt-dlp or the external downloaders that > yt-dlp employs may leak cookies on HTTP redirects to a different > host, or leak them when the host for download fragments differs > from their parent manifest's host. > > This vulnerable behavior is present in all versions of youtube-dl, > youtube-dlc and yt-dlp released since 2015.01.25. All native and > external downloaders are affected, except for curl and httpie > (httpie version 3.1.0 or later). Summary already <Ver given bump+stable+cleanup getting pushed in a minute, typical for this package to get stabled quickly or sometimes immediately either way.