Fixed version already in-tree+stable, and old was removed. CVE-2024-38519: yt-dlp does not limit the extensions of downloaded files, which could lead to arbitrary filenames being created in the download folder (and path traversal on Windows). Since yt-dlp also reads config from the working directory (and on Windows executables will be executed from the yt-dlp directory) this could lead to arbitrary code being executed.
I get the impression the impact of this issue is lower on Linux than on Windows (aka no RCE) if I read this right.
(In reply to Ionen Wolkens from comment #1) > I get the impression the impact of this issue is lower on Linux than on > Windows (aka no RCE) if I read this right. I don't think so, since there is also a vector where a config file with an "--exec" option is dropped. This would limit the attack to only running code already on the system, I think, but that still opens up enough possibilities.
(In reply to Hans de Graaff from comment #2) > (In reply to Ionen Wolkens from comment #1) > > I get the impression the impact of this issue is lower on Linux than on > > Windows (aka no RCE) if I read this right. > > I don't think so, since there is also a vector where a config file with an > "--exec" option is dropped. This would limit the attack to only running code > already on the system, I think, but that still opens up enough possibilities. Sounds right, thanks.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=4ab000f476fab4cc4330333d07bcbee73a37baca commit 4ab000f476fab4cc4330333d07bcbee73a37baca Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-09-28 07:39:28 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-09-28 07:39:43 +0000 [ GLSA 202409-30 ] yt-dlp: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/909780 Bug: https://bugs.gentoo.org/917355 Bug: https://bugs.gentoo.org/935316 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202409-30.xml | 46 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+)