Source: yt-dlp X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security
Hi, The following vulnerability was published for yt-dlp. CVE-2023-35934[0]: | yt-dlp is a command-line program to download videos from video | sites. During file downloads, yt-dlp or the external downloaders | that yt-dlp employs may leak cookies on HTTP redirects to a | different host, or leak them when the host for download fragments | differs from their parent manifest's host. This vulnerable behavior | is present in yt-dlp prior to 2023.07.06 and nightly | 2023.07.06.185519. All native and external downloaders are affected, | except for `curl` and `httpie` (version 3.1.0 or later). At the | file download stage, all cookies are passed by yt-dlp to the file | downloader as a `Cookie` header, thereby losing their scope. This | also occurs in yt-dlp's info JSON output, which may be used by | external tools. As a result, the downloader or external tool may | indiscriminately send cookies with requests to domains or paths for | which the cookies are not scoped. yt-dlp version 2023.07.06 and | nightly 2023.07.06.185519 fix this issue by removing the `Cookie` | header upon HTTP redirects; having native downloaders calculate the | `Cookie` header from the cookiejar, utilizing external downloaders' | built-in support for cookies instead of passing them as header | arguments, disabling HTTP redirectiong if the external downloader | does not have proper cookie support, processing cookies passed as | HTTP headers to limit their scope, and having a separate field for | cookies in the info dict storing more information about scoping | Some workarounds are available for those who are unable to upgrade. | Avoid using cookies and user authentication methods. While | extractors may set custom cookies, these usually do not contain | sensitive information. Alternatively, avoid using `--load-info- | json`. Or, if authentication is a must: verify the integrity of | download links from unknown sources in browser (including redirects) | before passing them to yt-dlp; use `curl` as external downloader, | since it is not impacted; and/or avoid fragmented formats such as | HLS/m3u8, DASH/mpd and ISM. https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-v8mc-9377-rwjj https://github.com/yt-dlp/yt-dlp/commit/1ceb657bdd254ad961489e5060f2ccc7d556b729 https://github.com/yt-dlp/yt-dlp/commit/3121512228487c9c690d3d39bfd2579addf96e07 https://github.com/yt-dlp/yt-dlp/commit/f8b4bcc0a791274223723488bfbfc23ea3276641 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-35934 https://www.cve.org/CVERecord?id=CVE-2023-35934 Please adjust the affected versions in the BTS as needed.