yt-dlp: CVE-2023-46121: Generic Extractor MITM Vulnerability via Arbitrary Proxy Injection

Debian Bug report logs - #1055996
yt-dlp: CVE-2023-46121: Generic Extractor MITM Vulnerability via Arbitrary Proxy Injection

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: yt-dlp: CVE-2023-46121: Generic Extractor MITM Vulnerability via Arbitrary Proxy Injection

Date: Wed, 15 Nov 2023 20:28:20 +0100

Source: yt-dlp
Version: 2023.10.13-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for yt-dlp.

CVE-2023-46121[0]:
| yt-dlp is a youtube-dl fork with additional features and fixes. The
| Generic Extractor in yt-dlp is vulnerable to an attacker setting an
| arbitrary proxy for a request to an arbitrary url, allowing the
| attacker to MITM the request made from yt-dlp's HTTP session. This
| could lead to cookie exfiltration in some cases. Version 2023.11.14
| removed the ability to smuggle `http_headers` to the Generic
| extractor, as well as other extractors that use the same pattern.
| Users are advised to upgrade. Users unable to upgrade should disable
| the Ggneric extractor (or only pass trusted sites with trusted
| content) and ake caution when using `--no-check-certificate`.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-46121
    https://www.cve.org/CVERecord?id=CVE-2023-46121
[1] https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-3ch4-jhc6-5r8x
[2] https://github.com/yt-dlp/yt-dlp/commit/f04b5bedad7b281bee9814686bba1762bae092eb

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #10 received at 1055996-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 1055996-close@bugs.debian.org

Subject: Bug#1055996: fixed in yt-dlp 2023.11.16-1

Date: Thu, 16 Nov 2023 07:49:12 +0000

Source: yt-dlp
Source-Version: 2023.11.16-1
Done: Unit 193 <unit193@debian.org>

We believe that the bug you reported is fixed in the latest version of
yt-dlp, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1055996@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Unit 193 <unit193@debian.org> (supplier of updated yt-dlp package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA384

Format: 1.8
Date: Thu, 16 Nov 2023 02:25:22 -0500
Source: yt-dlp
Architecture: source
Version: 2023.11.16-1
Distribution: unstable
Urgency: medium
Maintainer: Unit 193 <unit193@debian.org>
Changed-By: Unit 193 <unit193@debian.org>
Closes: 1055996
Changes:
 yt-dlp (2023.11.16-1) unstable; urgency=medium
 .
   * New upstream version 2023.11.16.
     - Patch Generic Extractor MITM Vulnerability via Arbitrary Proxy Injection.
       Disallow smuggling of arbitrary http_headers; extractors now only use
       specific headers. (Closes: #1055996, CVE-2023-46121)
   * d/control: Drop rtmpdump and mpv, as their use is deprecated.
   * d/t/upstream-tests.sh: Fix a typo in a variable name.
Checksums-Sha1:
 be9846677cac41c48996ba8727657ce79e67f333 2058 yt-dlp_2023.11.16-1.dsc
 f459f6e5f3e39b3fbe66678c3d678bd9086d17e1 2553690 yt-dlp_2023.11.16.orig.tar.gz
 b0d3b804e2e4919359dadd1377a9ea68d69e1acf 5644 yt-dlp_2023.11.16-1.debian.tar.xz
 debe08ccc73ab2ff369d96832191b01eda19cded 6799 yt-dlp_2023.11.16-1_amd64.buildinfo
Checksums-Sha256:
 74d0a10872ee137de61ca7f510887f5d1a016e2739b9745adb1afc4bb1a4fe29 2058 yt-dlp_2023.11.16-1.dsc
 b689ced48b0da4944ce8a157e99e2349bbbf80ac7496d48825cfad02a410fa1e 2553690 yt-dlp_2023.11.16.orig.tar.gz
 4f1c44e5e6fc0e484e739da78c316b8c6975b143c44b1e71cf5d3a053d3c73e0 5644 yt-dlp_2023.11.16-1.debian.tar.xz
 5f4125c71fe3e68bdeefe2d59b848452cc2fc84a9b33bb12bb71ab67a82ec8af 6799 yt-dlp_2023.11.16-1_amd64.buildinfo
Files:
 e72a3108bd2550414ce7740e94b63368 2058 web optional yt-dlp_2023.11.16-1.dsc
 06ad2854207a450b3ef1ed73135f53ca 2553690 web optional yt-dlp_2023.11.16.orig.tar.gz
 74bbec4eb05019bbd279c9fab75ea303 5644 web optional yt-dlp_2023.11.16-1.debian.tar.xz
 90d47c94a75b4163723ef71613e18b2d 6799 web optional yt-dlp_2023.11.16-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCQAdFiEEjbPlhoZdK0orGFpcUAHhsJqjdEsFAmVVxesACgkQUAHhsJqj
dEtDgQ/7Bur5uL08NpqBsCbWtrg7ydsXXUzlKUT5krDrWxjFTvsivgELqeUdtjtS
HZBJ04+Uy2OvKGTGqkumbbCJvNOPQc7fLbslfI3vwE64ByP5V5i4Dd/POQ+zS4gs
iFa9PCdxgfsNuoZhWe+O8S8soSUNZBAbClIE6VRByA5gXu8R2vuJCFTKmTEgMMra
DgVui5h4HIxwX8QHxhl3HtkLs1LVJDsH4Tc6qUOBSaOJ1X7x2TFSbTJXiEu9Mnq4
UoIQALDq8qHhGb3YFP8W60wJt0G1xa0zSeFaAusyk4vQSrx2VhmWNheErC6w3arx
nHCoAuaYvXZ3k+ikO63d0SERFbY56zVACLWpONYBVcp9FkNUmE1927K9VGUHZtxq
KgxfaXbS9riIbVEqruzZbouqajhlIZRiGm10I5kpd8GE5vJTWtGZQHePftoL0pEN
u3qTr7MclGPeiQIn0PtzpBirpFEj8V8Rj0zYWO78EuTf5SebBJO5bAa1i/M5Hk/S
NN+9JsSdppCyskbLC2F/knRILzXBDBh/JnRba11OsAFrnBV0mXqUCBlsxp4ocIlg
KkcPLy0cOOqq9iEnDI/bfBuJeW7X4qyDJn0G29hqPHfEwl6zdQUFvb2OGvgw7WaK
pQgx5GVKrJYgu0V154tTZf4yT+daqHMAHZePRTcyih5Lm+G5r48=
=+sCA
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.