[Secure-testing-team] Bug#890119: youtube-dl contains a (possibly-insecure) self-update mechanism

Nicolas Braud-Santoni nicolas at braud-santoni.eu
Sun Feb 11 10:50:31 UTC 2018 

Package: youtube-dl
Version: 2018.01.27-1
Severity: important
Tags: security upstream jessie stretch buster sid

Hi,

youtube-dl ships a self-update mechanism, accessible through the `--update` option.
This mechanism seems (correctly) defunct on Debian systems, as it is gated by a
`isinstance(globals().get('__loader__'), zipimporter) or hasattr(sys, 'frozen')` check:

> $ youtube-dl --update
> It looks like you installed youtube-dl with a package manager, pip, setup.py or a tarball. Please use that to update.


However, it is not obvious how reliable this check is, and upstream's
self-upgrade mechanism relies on a self-made (and quite possibly insecure)
function for checking RSA signatures:

  https://github.com/rg3/youtube-dl/blob/a072a12e249525f002646a921f16e14f03231662/youtube_dl/update.py#L17-L28


I suggest entirely removing the defunct option and corresponding code.


Best,

  nicoo


-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (900, 'testing'), (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.14.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages youtube-dl depends on:
ii  dpkg                   1.19.0.5
ii  python3                3.6.4-1
ii  python3-pkg-resources  38.4.0-1

Versions of packages youtube-dl recommends:
ii  ca-certificates  20170717
ii  curl             7.58.0-2
ii  ffmpeg           7:3.4.1-1+b2
ii  mpv              0.27.0-2+b3
pn  phantomjs        <none>
pn  rtmpdump         <none>
ii  wget             1.19.4-1

youtube-dl suggests no packages.

-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20180211/327164e3/attachment.sig>

More information about the Secure-testing-team mailing list