yt-dlp: CVE-2023-35934

Debian Bug report logs - #1040595
yt-dlp: CVE-2023-35934

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>

To: submit@bugs.debian.org

Subject: yt-dlp: CVE-2023-35934

Date: Fri, 7 Jul 2023 20:58:22 +0200

Source: yt-dlp
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerability was published for yt-dlp.

CVE-2023-35934[0]:
| yt-dlp is a command-line program to download videos from video
| sites. During file downloads, yt-dlp or the external downloaders
| that yt-dlp employs may leak cookies on HTTP redirects to a
| different host, or leak them when the host for download fragments
| differs from their parent manifest's host. This vulnerable behavior
| is present in yt-dlp prior to 2023.07.06 and nightly
| 2023.07.06.185519. All native and external downloaders are affected,
| except for `curl` and `httpie` (version 3.1.0 or later).  At the
| file download stage, all cookies are passed by yt-dlp to the file
| downloader as a `Cookie` header, thereby losing their scope. This
| also occurs in yt-dlp's info JSON output, which may be used by
| external tools. As a result, the downloader or external tool may
| indiscriminately send cookies with requests to domains or paths for
| which the cookies are not scoped.  yt-dlp version 2023.07.06 and
| nightly 2023.07.06.185519 fix this issue by removing the `Cookie`
| header upon HTTP redirects; having native downloaders calculate the
| `Cookie` header from the cookiejar, utilizing external downloaders'
| built-in support for cookies instead of passing them as header
| arguments, disabling HTTP redirectiong if the external downloader
| does not have proper cookie support, processing cookies passed as
| HTTP headers to limit their scope, and having a separate field for
| cookies in the info dict storing more information about scoping
| Some workarounds are available for those who are unable to upgrade.
| Avoid using cookies and user authentication methods. While
| extractors may set custom cookies, these usually do not contain
| sensitive information. Alternatively, avoid using `--load-info-
| json`. Or, if authentication is a must: verify the integrity of
| download links from unknown sources in browser (including redirects)
| before passing them to yt-dlp; use `curl` as external downloader,
| since it is not impacted; and/or avoid fragmented formats such as
| HLS/m3u8, DASH/mpd and ISM.

https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-v8mc-9377-rwjj
https://github.com/yt-dlp/yt-dlp/commit/1ceb657bdd254ad961489e5060f2ccc7d556b729
https://github.com/yt-dlp/yt-dlp/commit/3121512228487c9c690d3d39bfd2579addf96e07
https://github.com/yt-dlp/yt-dlp/commit/f8b4bcc0a791274223723488bfbfc23ea3276641

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-35934
    https://www.cve.org/CVERecord?id=CVE-2023-35934

Please adjust the affected versions in the BTS as needed.

Message #14 received at 1040595-submitter@bugs.debian.org (full text, mbox, reply):

From: Unit 193 <unit193@debian.org>

To: control@bugs.debian.org

Cc: 1040595-submitter@bugs.debian.org

Subject: closing 1040595

Date: Fri, 07 Jul 2023 21:02:51 -0400

close 1040595 2023.07.06-1
thanks

Howdy,

Unfortunately I uploaded yt-dlp 2023.07.06-1 before this bug was filed, so could not
include the bug reference and CVE-2023-35934 in the changelog.

The relavant part of upstream's changelog for that release:

* Security: [CVE-2023-35934] Fix Cookie leak
  + --add-header Cookie: is deprecated and auto-scoped to input URL domains
  + Cookies are scoped when passed to external downloaders
  + Add cookie field to info.json and deprecate http_headers.Cookie


Regards,

~Unit 193
Unit193 @ OFTC
Unit193 @ Libera

Send a report that this bug log contains spam.