| === cpaelzer_ is now known as cpaelzer | ||
| === NotEickmeyer is now known as Eickmeyer | ||
| === Juesto is now known as Juest | ||
| JanC | most people probably don't use the APT package for this as it's always outdated, but still... https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-3v33-3wmw-3785 | 23:01 |
|---|---|---|
| rbasak | Unit193: ^ | 23:08 |
| Unit193 | -backports should soon have a fixed version, and if you don't have phantomjs (not in Debuntu) then it doesn't matter too much. | 23:09 |
| Unit193 | (The bpo version is not meant to fix that problem btw, just standard refresh.) | 23:10 |
| JanC | as long as it has the fix :) | 23:11 |
| JanC | they don't mention a CVE, which is why I mentioned it | 23:11 |
| JanC | as security issues without a CVE are easier to miss | 23:12 |
| Unit193 | Looks like phantomjs was last in focal, and https://github.com/ariya/phantomjs has a pretty major hint not to install it. | 23:12 |
| JanC | the problem is not with phantomjs so much as with the compromised domain, I suppose | 23:12 |
| Unit193 | Yes, but phantomjs is a pre-condition for it to work. It's mentioned both in "impact" and "workaround" :3 | 23:13 |
| JanC | yeah, it won't work without, but some people might install it to get certain sites to work, I suppose | 23:14 |
| JanC | I guess some random angry site owner could also try to abuse it... | 23:16 |
| JanC | (the Sony scandal years ago shows that some companies are capable of doing the craziest things) | 23:20 |
| Unit193 | rbasak poked me because I'm the Debian maintainer and involved with Ubuntu, but I'm not on the security nor SRU teams so can't say whether one is *needed* or would be accepted. If you'd like, you're welcome to attempt with a debdiff. | 23:21 |
| JanC | if the backports will be fixed I assume it will be enough? the version in the main repositories is so old that half the sites no longer work probably :) | 23:23 |
| Unit193 | Erm, Youtube won't, but quite a few and the generic extractor still do work. | 23:24 |
| rbasak | Unit193: I don't know if you're aware but you can submit a debdiff for sponsorship by the security team if you think it's appropriate | 23:57 |
| rbasak | https://wiki.ubuntu.com/SecurityTeam/SponsorsQueue | 23:58 |
| Unit193 | But bugs, and effort. :3 | 23:58 |
| rbasak | Looks like they expect a CVE | 23:58 |
| rbasak | (maybe it's required) | 23:58 |
| Unit193 | CVE-2024-38519 | 23:58 |
| -ubottu:#ubuntu-security- `yt-dlp` and `youtube-dl` are command-line audio/video downloaders. Prior to the fixed versions, `yt-dlp` and `youtube-dl` do not limit the extensions of downloaded files, which could lead to arbitrary filenames being created in the download folder (and path traversal on Windows). Since `yt-dlp` and `youtube-dl` also read config from the working directory (and on W... <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-38519> | 23:58 | |
| rbasak | Yeah, sure. I appreciate that everyone is a volunteer :) | 23:58 |
| Unit193 | I don't think it's critical given phantomjs isn't even installable via apt and github is archived, but others may have a different opinion! | 23:59 |
| rbasak | Thanks. I value your opinion! | 23:59 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!