Package: youtube-dl Version: 2018.01.27-1 Severity: important Tags: security upstream jessie stretch buster sid
Hi,
youtube-dl ships a self-update mechanism, accessible through the `--update`
option.
This mechanism seems (correctly) defunct on Debian systems, as it is gated by a
`isinstance(globals().get('__loader__'), zipimporter) or hasattr(sys,
'frozen')` check:
> $ youtube-dl --update
> It looks like you installed youtube-dl with a package manager, pip, setup.py
> or a tarball. Please use that to update.
However, it is not obvious how reliable this check is, and upstream's
self-upgrade mechanism relies on a self-made (and quite possibly insecure)
function for checking RSA signatures:
https://github.com/rg3/youtube-dl/blob/a072a12e249525f002646a921f16e14f03231662/youtube_dl/update.py#L17-L28
I suggest entirely removing the defunct option and corresponding code.
Best,
nicoo
-- System Information:
Debian Release: buster/sid
APT prefers testing
APT policy: (900, 'testing'), (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.14.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL
set to en_US.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set
to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages youtube-dl depends on:
ii dpkg 1.19.0.5
ii python3 3.6.4-1
ii python3-pkg-resources 38.4.0-1
Versions of packages youtube-dl recommends:
ii ca-certificates 20170717
ii curl 7.58.0-2
ii ffmpeg 7:3.4.1-1+b2
ii mpv 0.27.0-2+b3
pn phantomjs <none>
pn rtmpdump <none>
ii wget 1.19.4-1
youtube-dl suggests no packages.
-- no debconf information
signature.asc
Description: PGP signature
_______________________________________________ Secure-testing-team mailing list Secure-testing-team@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-team
