Package: youtube-dl Version: 2018.01.27-1 Severity: important Tags: security upstream jessie stretch buster sid
Hi, youtube-dl ships a self-update mechanism, accessible through the `--update` option. This mechanism seems (correctly) defunct on Debian systems, as it is gated by a `isinstance(globals().get('__loader__'), zipimporter) or hasattr(sys, 'frozen')` check: > $ youtube-dl --update > It looks like you installed youtube-dl with a package manager, pip, setup.py > or a tarball. Please use that to update. However, it is not obvious how reliable this check is, and upstream's self-upgrade mechanism relies on a self-made (and quite possibly insecure) function for checking RSA signatures: https://github.com/rg3/youtube-dl/blob/a072a12e249525f002646a921f16e14f03231662/youtube_dl/update.py#L17-L28 I suggest entirely removing the defunct option and corresponding code. Best, nicoo -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (900, 'testing'), (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.14.0-3-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages youtube-dl depends on: ii dpkg 1.19.0.5 ii python3 3.6.4-1 ii python3-pkg-resources 38.4.0-1 Versions of packages youtube-dl recommends: ii ca-certificates 20170717 ii curl 7.58.0-2 ii ffmpeg 7:3.4.1-1+b2 ii mpv 0.27.0-2+b3 pn phantomjs <none> pn rtmpdump <none> ii wget 1.19.4-1 youtube-dl suggests no packages. -- no debconf information
signature.asc
Description: PGP signature
_______________________________________________ Secure-testing-team mailing list Secure-testing-team@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-team