From: Theo Buehler Subject: Re: [update] yt-dlp - rce via path traversal To: ports@openbsd.org Cc: mestre@openbsd.org Date: Sun, 7 Jul 2024 11:14:25 +0200 On Sun, Jul 07, 2024 at 09:41:46AM +0200, Theo Buehler wrote: > Fixed in 2024.07.01: > > https://securitylab.github.com/advisories/GHSL-2024-090_yt-dlp/ > > youtube-dl has the same problem, fixed in ytdl-nightly 2024.07.03 > > https://github.com/ytdl-org/ytdl-nightly/releases/tag/2024.07.03 > > perhaps youtube-dl should switch to nightly rather than being stuck > on a probably mostly dysfunctional old version? > jca pointed out that I should have read more closely. This supposedly only affects Windows. Nevertheless, I think we should update and the point regarding youtube-dl still stands. Index: Makefile =================================================================== RCS file: /cvs/ports/www/yt-dlp/Makefile,v diff -u -p -r1.38 Makefile --- Makefile 31 May 2024 14:38:53 -0000 1.38 +++ Makefile 7 Jul 2024 04:56:05 -0000 @@ -1,6 +1,6 @@ COMMENT = CLI program to download videos from YouTube and other sites -VERSION = 2024.05.27 +VERSION = 2024.07.02 MODPY_EGG_VERSION = ${VERSION:S/.0/./g} DISTNAME = yt-dlp-${VERSION} Index: distinfo =================================================================== RCS file: /cvs/ports/www/yt-dlp/distinfo,v diff -u -p -r1.33 distinfo --- distinfo 31 May 2024 14:38:53 -0000 1.33 +++ distinfo 7 Jul 2024 04:56:09 -0000 @@ -1,2 +1,2 @@ -SHA256 (yt-dlp-2024.05.27.tar.gz) = g9vxVFZJDn7+m6g5ki+CIdB88RaLKWU/1Hb6o835EjU= -SIZE (yt-dlp-2024.05.27.tar.gz) = 5638920 +SHA256 (yt-dlp-2024.07.02.tar.gz) = EJSvOlgnpqMSabl71wFFYmmvGFlUJ8mQXz/74aEVgqA= +SIZE (yt-dlp-2024.07.02.tar.gz) = 5671980 Index: pkg/PLIST =================================================================== RCS file: /cvs/ports/www/yt-dlp/pkg/PLIST,v diff -u -p -r1.31 PLIST --- pkg/PLIST 27 May 2024 12:46:30 -0000 1.31 +++ pkg/PLIST 7 Jul 2024 04:58:27 -0000 @@ -792,6 +792,8 @@ lib/python${MODPY_VERSION}/site-packages lib/python${MODPY_VERSION}/site-packages/yt_dlp/extractor/${MODPY_PYCACHE}gotostage.${MODPY_PYC_MAGIC_TAG}pyc lib/python${MODPY_VERSION}/site-packages/yt_dlp/extractor/${MODPY_PYCACHE}gputechconf.${MODPY_PYC_MAGIC_TAG}${MODPY_PYOEXTENSION} lib/python${MODPY_VERSION}/site-packages/yt_dlp/extractor/${MODPY_PYCACHE}gputechconf.${MODPY_PYC_MAGIC_TAG}pyc +lib/python${MODPY_VERSION}/site-packages/yt_dlp/extractor/${MODPY_PYCACHE}graspop.${MODPY_PYC_MAGIC_TAG}${MODPY_PYOEXTENSION} +lib/python${MODPY_VERSION}/site-packages/yt_dlp/extractor/${MODPY_PYCACHE}graspop.${MODPY_PYC_MAGIC_TAG}pyc lib/python${MODPY_VERSION}/site-packages/yt_dlp/extractor/${MODPY_PYCACHE}gronkh.${MODPY_PYC_MAGIC_TAG}${MODPY_PYOEXTENSION} lib/python${MODPY_VERSION}/site-packages/yt_dlp/extractor/${MODPY_PYCACHE}gronkh.${MODPY_PYC_MAGIC_TAG}pyc lib/python${MODPY_VERSION}/site-packages/yt_dlp/extractor/${MODPY_PYCACHE}groupon.${MODPY_PYC_MAGIC_TAG}${MODPY_PYOEXTENSION} @@ -966,6 +968,8 @@ lib/python${MODPY_VERSION}/site-packages lib/python${MODPY_VERSION}/site-packages/yt_dlp/extractor/${MODPY_PYCACHE}kuwo.${MODPY_PYC_MAGIC_TAG}pyc lib/python${MODPY_VERSION}/site-packages/yt_dlp/extractor/${MODPY_PYCACHE}la7.${MODPY_PYC_MAGIC_TAG}${MODPY_PYOEXTENSION} lib/python${MODPY_VERSION}/site-packages/yt_dlp/extractor/${MODPY_PYCACHE}la7.${MODPY_PYC_MAGIC_TAG}pyc +lib/python${MODPY_VERSION}/site-packages/yt_dlp/extractor/${MODPY_PYCACHE}laracasts.${MODPY_PYC_MAGIC_TAG}${MODPY_PYOEXTENSION} +lib/python${MODPY_VERSION}/site-packages/yt_dlp/extractor/${MODPY_PYCACHE}laracasts.${MODPY_PYC_MAGIC_TAG}pyc lib/python${MODPY_VERSION}/site-packages/yt_dlp/extractor/${MODPY_PYCACHE}lastfm.${MODPY_PYC_MAGIC_TAG}${MODPY_PYOEXTENSION} lib/python${MODPY_VERSION}/site-packages/yt_dlp/extractor/${MODPY_PYCACHE}lastfm.${MODPY_PYC_MAGIC_TAG}pyc lib/python${MODPY_VERSION}/site-packages/yt_dlp/extractor/${MODPY_PYCACHE}laxarxames.${MODPY_PYC_MAGIC_TAG}${MODPY_PYOEXTENSION} @@ -1094,8 +1098,6 @@ lib/python${MODPY_VERSION}/site-packages lib/python${MODPY_VERSION}/site-packages/yt_dlp/extractor/${MODPY_PYCACHE}microsoftembed.${MODPY_PYC_MAGIC_TAG}pyc lib/python${MODPY_VERSION}/site-packages/yt_dlp/extractor/${MODPY_PYCACHE}microsoftstream.${MODPY_PYC_MAGIC_TAG}${MODPY_PYOEXTENSION} lib/python${MODPY_VERSION}/site-packages/yt_dlp/extractor/${MODPY_PYCACHE}microsoftstream.${MODPY_PYC_MAGIC_TAG}pyc -lib/python${MODPY_VERSION}/site-packages/yt_dlp/extractor/${MODPY_PYCACHE}microsoftvirtualacademy.${MODPY_PYC_MAGIC_TAG}${MODPY_PYOEXTENSION} -lib/python${MODPY_VERSION}/site-packages/yt_dlp/extractor/${MODPY_PYCACHE}microsoftvirtualacademy.${MODPY_PYC_MAGIC_TAG}pyc lib/python${MODPY_VERSION}/site-packages/yt_dlp/extractor/${MODPY_PYCACHE}mildom.${MODPY_PYC_MAGIC_TAG}${MODPY_PYOEXTENSION} lib/python${MODPY_VERSION}/site-packages/yt_dlp/extractor/${MODPY_PYCACHE}mildom.${MODPY_PYC_MAGIC_TAG}pyc lib/python${MODPY_VERSION}/site-packages/yt_dlp/extractor/${MODPY_PYCACHE}minds.${MODPY_PYC_MAGIC_TAG}${MODPY_PYOEXTENSION} @@ -1672,6 +1674,8 @@ lib/python${MODPY_VERSION}/site-packages lib/python${MODPY_VERSION}/site-packages/yt_dlp/extractor/${MODPY_PYCACHE}springboardplatform.${MODPY_PYC_MAGIC_TAG}pyc lib/python${MODPY_VERSION}/site-packages/yt_dlp/extractor/${MODPY_PYCACHE}sprout.${MODPY_PYC_MAGIC_TAG}${MODPY_PYOEXTENSION} lib/python${MODPY_VERSION}/site-packages/yt_dlp/extractor/${MODPY_PYCACHE}sprout.${MODPY_PYC_MAGIC_TAG}pyc +lib/python${MODPY_VERSION}/site-packages/yt_dlp/extractor/${MODPY_PYCACHE}sproutvideo.${MODPY_PYC_MAGIC_TAG}${MODPY_PYOEXTENSION} +lib/python${MODPY_VERSION}/site-packages/yt_dlp/extractor/${MODPY_PYCACHE}sproutvideo.${MODPY_PYC_MAGIC_TAG}pyc lib/python${MODPY_VERSION}/site-packages/yt_dlp/extractor/${MODPY_PYCACHE}srgssr.${MODPY_PYC_MAGIC_TAG}${MODPY_PYOEXTENSION} lib/python${MODPY_VERSION}/site-packages/yt_dlp/extractor/${MODPY_PYCACHE}srgssr.${MODPY_PYC_MAGIC_TAG}pyc lib/python${MODPY_VERSION}/site-packages/yt_dlp/extractor/${MODPY_PYCACHE}srmediathek.${MODPY_PYC_MAGIC_TAG}${MODPY_PYOEXTENSION} @@ -2464,6 +2468,7 @@ lib/python${MODPY_VERSION}/site-packages lib/python${MODPY_VERSION}/site-packages/yt_dlp/extractor/goshgay.py lib/python${MODPY_VERSION}/site-packages/yt_dlp/extractor/gotostage.py lib/python${MODPY_VERSION}/site-packages/yt_dlp/extractor/gputechconf.py +lib/python${MODPY_VERSION}/site-packages/yt_dlp/extractor/graspop.py lib/python${MODPY_VERSION}/site-packages/yt_dlp/extractor/gronkh.py lib/python${MODPY_VERSION}/site-packages/yt_dlp/extractor/groupon.py lib/python${MODPY_VERSION}/site-packages/yt_dlp/extractor/harpodeon.py @@ -2551,6 +2556,7 @@ lib/python${MODPY_VERSION}/site-packages lib/python${MODPY_VERSION}/site-packages/yt_dlp/extractor/kukululive.py lib/python${MODPY_VERSION}/site-packages/yt_dlp/extractor/kuwo.py lib/python${MODPY_VERSION}/site-packages/yt_dlp/extractor/la7.py +lib/python${MODPY_VERSION}/site-packages/yt_dlp/extractor/laracasts.py lib/python${MODPY_VERSION}/site-packages/yt_dlp/extractor/lastfm.py lib/python${MODPY_VERSION}/site-packages/yt_dlp/extractor/laxarxames.py lib/python${MODPY_VERSION}/site-packages/yt_dlp/extractor/lazy_extractors.py @@ -2615,7 +2621,6 @@ lib/python${MODPY_VERSION}/site-packages lib/python${MODPY_VERSION}/site-packages/yt_dlp/extractor/mgtv.py lib/python${MODPY_VERSION}/site-packages/yt_dlp/extractor/microsoftembed.py lib/python${MODPY_VERSION}/site-packages/yt_dlp/extractor/microsoftstream.py -lib/python${MODPY_VERSION}/site-packages/yt_dlp/extractor/microsoftvirtualacademy.py lib/python${MODPY_VERSION}/site-packages/yt_dlp/extractor/mildom.py lib/python${MODPY_VERSION}/site-packages/yt_dlp/extractor/minds.py lib/python${MODPY_VERSION}/site-packages/yt_dlp/extractor/minoto.py @@ -2904,6 +2909,7 @@ lib/python${MODPY_VERSION}/site-packages lib/python${MODPY_VERSION}/site-packages/yt_dlp/extractor/spreaker.py lib/python${MODPY_VERSION}/site-packages/yt_dlp/extractor/springboardplatform.py lib/python${MODPY_VERSION}/site-packages/yt_dlp/extractor/sprout.py +lib/python${MODPY_VERSION}/site-packages/yt_dlp/extractor/sproutvideo.py lib/python${MODPY_VERSION}/site-packages/yt_dlp/extractor/srgssr.py lib/python${MODPY_VERSION}/site-packages/yt_dlp/extractor/srmediathek.py lib/python${MODPY_VERSION}/site-packages/yt_dlp/extractor/stacommu.py