Security
Headlines
HeadlinesLatestCVEs

Headline

Gentoo Linux Security Advisory 202409-30

Gentoo Linux Security Advisory 202409-30 - Multiple vulnerabilities have been found in yt-dlp, the worst of which could result in arbitrary code execution. Versions greater than or equal to 2024.07.01 are affected.

Packet Storm
#vulnerability#web#mac#linux

Gentoo Linux Security Advisory GLSA 202409-30


                                       https://security.gentoo.org/  

Severity: Normal
Title: yt-dlp: Multiple Vulnerabilities
Date: September 28, 2024
Bugs: #909780, #917355, #935316
ID: 202409-30


Synopsis

Multiple vulnerabilities have been found in yt-dlp, the worst of which
could result in arbitrary code execution.

Background

yt-dlp is a youtube-dl fork with additional features and fixes.

Affected packages

Package Vulnerable Unaffected


net-misc/yt-dlp < 2024.07.01 >= 2024.07.01

Description

Multiple vulnerabilities have been found in yt-dlp. Please review the
referenced CVE identifiers for details.

Impact

Please review the referenced CVE identifiers for details.

Workaround

There is no known workaround at this time.

Resolution

All yt-dlp users should upgrade to the latest version:

emerge --sync

emerge --ask --oneshot --verbose “>=net-misc/yt-dlp-2024.07.01”

References

[ 1 ] CVE-2023-35934
https://nvd.nist.gov/vuln/detail/CVE-2023-35934
[ 2 ] CVE-2023-46121
https://nvd.nist.gov/vuln/detail/CVE-2023-46121
[ 3 ] CVE-2024-38519
https://nvd.nist.gov/vuln/detail/CVE-2024-38519

Availability

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/202409-30

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users’ machines is of utmost
importance to us. Any security concerns should be addressed to
[email protected] or alternatively, you may file a bug at
https://bugs.gentoo.org.

License

Copyright 2024 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Related news

GHSA-79w7-vh3h-8g4j: yt-dlp File system modification and RCE through improper file-extension sanitization

### Summary `yt-dlp` does not limit the extensions of downloaded files, which could lead to arbitrary filenames being created in the download folder (and path traversal on Windows). Since `yt-dlp` also reads config from the working directory (and on Windows executables will be executed from the yt-dlp directory) this could lead to arbitrary code being executed. ### Patches `yt-dlp` version 2024.07.01 fixes this issue by whitelisting the allowed extensions. This means some very uncommon extensions might not get downloaded; however, it will also limit the possible exploitation surface. ### Workarounds It is recommended to upgrade yt-dlp to version 2024.07.01 as soon as possible, **always** have `.%(ext)s` at the end of the output template, and make sure you trust the websites that you are downloading from. Also, make sure to never download to a directory within PATH or other sensitive locations like your user directory, `system32`, or other binaries locations. For users not able to up...

GHSA-3ch3-jhc6-5r8x: yt-dlp Generic Extractor MITM Vulnerability via Arbitrary Proxy Injection

### Impact The Generic Extractor in yt-dlp is vulnerable to an attacker setting an arbitrary proxy for a request to an arbitrary url, allowing the attacker to MITM the request made from yt-dlp's HTTP session. This could lead to cookie exfiltration in some cases. <details> To pass extra control data between extractors (such as headers like `Referer`), yt-dlp employs a concept of "url smuggling". This works by adding this extra data as json to the url fragment ("smuggling") that is then passed on to an extractor. The receiving extractor then "unsmuggles" the data from the input url. This functionality is intended to be internal only. Currently, the Generic extractor supports receiving an arbitrary dictionary of HTTP headers in a smuggled url, of which it extracts and adds them to the initial request it makes to such url. This is useful when a url sent to the Generic extractor needs a `Referer` header sent with it, for example. Additionally, yt-dlp has internal headers to set a proxy ...

CVE-2023-46121: Generic Extractor MITM Vulnerability via Arbitrary Proxy Injection

yt-dlp is a youtube-dl fork with additional features and fixes. The Generic Extractor in yt-dlp is vulnerable to an attacker setting an arbitrary proxy for a request to an arbitrary url, allowing the attacker to MITM the request made from yt-dlp's HTTP session. This could lead to cookie exfiltration in some cases. Version 2023.11.14 removed the ability to smuggle `http_headers` to the Generic extractor, as well as other extractors that use the same pattern. Users are advised to upgrade. Users unable to upgrade should disable the Ggneric extractor (or only pass trusted sites with trusted content) and ake caution when using `--no-check-certificate`.

CVE-2023-35934: Release yt-dlp nightly 2023.07.06.185519 · yt-dlp/yt-dlp-nightly-builds

yt-dlp is a command-line program to download videos from video sites. During file downloads, yt-dlp or the external downloaders that yt-dlp employs may leak cookies on HTTP redirects to a different host, or leak them when the host for download fragments differs from their parent manifest's host. This vulnerable behavior is present in yt-dlp prior to 2023.07.06 and nightly 2023.07.06.185519. All native and external downloaders are affected, except for `curl` and `httpie` (version 3.1.0 or later). At the file download stage, all cookies are passed by yt-dlp to the file downloader as a `Cookie` header, thereby losing their scope. This also occurs in yt-dlp's info JSON output, which may be used by external tools. As a result, the downloader or external tool may indiscriminately send cookies with requests to domains or paths for which the cookies are not scoped. yt-dlp version 2023.07.06 and nightly 2023.07.06.185519 fix this issue by removing the `Cookie` header upon HTTP redirects; havi...

GHSA-v8mc-9377-rwjj: yt-dlp File Downloader cookie leak

### Impact During file downloads, yt-dlp or the external downloaders that yt-dlp employs may leak cookies on HTTP redirects to a different host, or leak them when the host for download fragments differs from their parent manifest's host. This vulnerable behavior is present in all versions of [youtube-dl](https://github.com/ytdl-org/youtube-dl), [youtube-dlc](https://github.com/blackjack4494/yt-dlc) and [yt-dlp](https://github.com/yt-dlp/yt-dlp) released since 2015.01.25. All native and external downloaders are affected, except for `curl` and `httpie` (httpie version 3.1.0 or later). At the file download stage, all cookies are passed by yt-dlp to the file downloader as a `Cookie` header, thereby losing their scope. This also occurs in yt-dlp's info JSON output, which may be used by external tools. As a result, the downloader or external tool may indiscriminately send cookies with requests to domains or paths for which the cookies are not scoped. An example of a potential attack scena...

Packet Storm: Latest News

Acronis Cyber Protect/Backup Remote Code Execution