=== cpaelzer_ is now known as cpaelzer
=== NotEickmeyer is now known as Eickmeyer
=== Juesto is now known as Juest
[23:01] <JanC> most people probably don't use the APT package for this as it's always outdated, but still... https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-3v33-3wmw-3785
[23:08] <rbasak> Unit193: ^
[23:09] <Unit193> -backports should soon have a fixed version, and if you don't have phantomjs (not in Debuntu) then it doesn't matter too much.
[23:10] <Unit193> (The bpo version is not meant to fix that problem btw, just standard refresh.)
[23:11] <JanC> as long as it has the fix  :)
[23:11] <JanC> they don't mention a CVE, which is why I mentioned it
[23:12] <JanC> as security issues without a CVE are easier to miss
[23:12] <Unit193> Looks like phantomjs was last in focal, and https://github.com/ariya/phantomjs has a pretty major hint not to install it.
[23:12] <JanC> the problem is not with phantomjs so much as with the compromised domain, I suppose
[23:13] <Unit193> Yes, but phantomjs is a pre-condition for it to work.  It's mentioned both in "impact" and "workaround" :3
[23:14] <JanC> yeah, it won't work without, but some people might install it to get certain sites to work, I suppose
[23:16] <JanC> I guess some random angry site owner could also try to abuse it...
[23:20] <JanC> (the Sony scandal years ago shows that some companies are capable of doing the craziest things)
[23:21] <Unit193> rbasak poked me because I'm the Debian maintainer and involved with Ubuntu, but I'm not on the security nor SRU teams so can't say whether one is *needed* or would be accepted.  If you'd like, you're welcome to attempt with a debdiff.
[23:23] <JanC> if the backports will be fixed I assume it will be enough?  the version in the main repositories is so old that half the sites no longer work probably  :)
[23:24] <Unit193> Erm, Youtube won't, but quite a few and the generic extractor still do work.
[23:57] <rbasak> Unit193: I don't know if you're aware but you can submit a debdiff for sponsorship by the security team if you think it's appropriate
[23:58] <rbasak> https://wiki.ubuntu.com/SecurityTeam/SponsorsQueue
[23:58] <Unit193> But bugs, and effort. :3
[23:58] <rbasak> Looks like they expect a CVE
[23:58] <rbasak> (maybe it's required)
[23:58] <Unit193> CVE-2024-38519
[23:58] -ubottu:#ubuntu-security- `yt-dlp` and `youtube-dl` are command-line audio/video downloaders. Prior to the fixed versions, `yt-dlp` and `youtube-dl` do not limit the extensions of downloaded files, which could lead to arbitrary filenames being created in the download folder (and path traversal on Windows). Since `yt-dlp` and `youtube-dl` also read config from the working directory (and on W... <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-38519>
[23:58] <rbasak> Yeah, sure. I appreciate that everyone is a volunteer :)
[23:59] <Unit193> I don't think it's critical given phantomjs isn't even installable via apt and github is archived, but others may have a different opinion!
[23:59] <rbasak> Thanks. I value your opinion!