Debian Bug report logs -
#1040595
yt-dlp: CVE-2023-35934
Reported by: Moritz Mühlenhoff <jmm@inutil.org>
Date: Fri, 7 Jul 2023 19:00:09 UTC
Severity: important
Tags: security, upstream
Found in version yt-dlp/2023.06.22-1
Fixed in version yt-dlp/2023.07.06-1
Done: Unit 193 <unit193@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Unit 193 <unit193@debian.org>
:
Bug#1040595
; Package src:yt-dlp
.
(Fri, 07 Jul 2023 19:00:11 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Unit 193 <unit193@debian.org>
.
(Fri, 07 Jul 2023 19:00:11 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: yt-dlp
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for yt-dlp.
CVE-2023-35934[0]:
| yt-dlp is a command-line program to download videos from video
| sites. During file downloads, yt-dlp or the external downloaders
| that yt-dlp employs may leak cookies on HTTP redirects to a
| different host, or leak them when the host for download fragments
| differs from their parent manifest's host. This vulnerable behavior
| is present in yt-dlp prior to 2023.07.06 and nightly
| 2023.07.06.185519. All native and external downloaders are affected,
| except for `curl` and `httpie` (version 3.1.0 or later). At the
| file download stage, all cookies are passed by yt-dlp to the file
| downloader as a `Cookie` header, thereby losing their scope. This
| also occurs in yt-dlp's info JSON output, which may be used by
| external tools. As a result, the downloader or external tool may
| indiscriminately send cookies with requests to domains or paths for
| which the cookies are not scoped. yt-dlp version 2023.07.06 and
| nightly 2023.07.06.185519 fix this issue by removing the `Cookie`
| header upon HTTP redirects; having native downloaders calculate the
| `Cookie` header from the cookiejar, utilizing external downloaders'
| built-in support for cookies instead of passing them as header
| arguments, disabling HTTP redirectiong if the external downloader
| does not have proper cookie support, processing cookies passed as
| HTTP headers to limit their scope, and having a separate field for
| cookies in the info dict storing more information about scoping
| Some workarounds are available for those who are unable to upgrade.
| Avoid using cookies and user authentication methods. While
| extractors may set custom cookies, these usually do not contain
| sensitive information. Alternatively, avoid using `--load-info-
| json`. Or, if authentication is a must: verify the integrity of
| download links from unknown sources in browser (including redirects)
| before passing them to yt-dlp; use `curl` as external downloader,
| since it is not impacted; and/or avoid fragmented formats such as
| HLS/m3u8, DASH/mpd and ISM.
https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-v8mc-9377-rwjj
https://github.com/yt-dlp/yt-dlp/commit/1ceb657bdd254ad961489e5060f2ccc7d556b729
https://github.com/yt-dlp/yt-dlp/commit/3121512228487c9c690d3d39bfd2579addf96e07
https://github.com/yt-dlp/yt-dlp/commit/f8b4bcc0a791274223723488bfbfc23ea3276641
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-35934
https://www.cve.org/CVERecord?id=CVE-2023-35934
Please adjust the affected versions in the BTS as needed.
Marked as fixed in versions yt-dlp/2023.07.06-1.
Request was from Unit 193 <unit193@debian.org>
to control@bugs.debian.org
.
(Sat, 08 Jul 2023 01:09:05 GMT) (full text, mbox, link).
Marked Bug as done
Request was from Unit 193 <unit193@debian.org>
to control@bugs.debian.org
.
(Sat, 08 Jul 2023 01:09:05 GMT) (full text, mbox, link).
Notification sent
to Moritz Mühlenhoff <jmm@inutil.org>
:
Bug acknowledged by developer.
(Sat, 08 Jul 2023 01:09:06 GMT) (full text, mbox, link).
Message sent on
to Moritz Mühlenhoff <jmm@inutil.org>
:
Bug#1040595.
(Sat, 08 Jul 2023 01:15:02 GMT) (full text, mbox, link).
Message #14 received at 1040595-submitter@bugs.debian.org (full text, mbox, reply):
close 1040595 2023.07.06-1
thanks
Howdy,
Unfortunately I uploaded yt-dlp 2023.07.06-1 before this bug was filed, so could not
include the bug reference and CVE-2023-35934 in the changelog.
The relavant part of upstream's changelog for that release:
* Security: [CVE-2023-35934] Fix Cookie leak
+ --add-header Cookie: is deprecated and auto-scoped to input URL domains
+ Cookies are scoped when passed to external downloaders
+ Add cookie field to info.json and deprecate http_headers.Cookie
Regards,
~Unit 193
Unit193 @ OFTC
Unit193 @ Libera
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Sat, 08 Jul 2023 06:27:09 GMT) (full text, mbox, link).
Marked as found in versions yt-dlp/2023.06.22-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Sat, 08 Jul 2023 07:18:03 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sat Jul 8 11:58:17 2023;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.