diff options
| author | Simon Sawicki <contact@grub4k.xyz> | 2023-09-24 02:29:01 +0200 |
|---|---|---|
| committer | Simon Sawicki <contact@grub4k.xyz> | 2023-09-24 02:29:01 +0200 |
| commit | de015e930747165dbb8fcd360f8775fd973b7d6e (patch) | |
| tree | 7588e5aefdba5eb635a8690b824b1a49672342d8 /devscripts | |
| parent | 61bdf15fc7400601c3da1aa7a43917310a5bf391 (diff) | |
[core] Prevent RCE when using `--exec` with `%q` (CVE-2023-40581)
The shell escape function is now using `""` instead of `\"`. `utils.Popen` has been patched to properly quote commands.
Prior to this fix using `--exec` together with `%q` when on Windows could cause remote code to execute. See https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-42h4-v29r-42qg for reference.
Authored by: Grub4K
Diffstat (limited to 'devscripts')
| -rw-r--r-- | devscripts/changelog_override.json | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/devscripts/changelog_override.json b/devscripts/changelog_override.json index 9dfbf510f..fe0c82c66 100644 --- a/devscripts/changelog_override.json +++ b/devscripts/changelog_override.json @@ -93,5 +93,10 @@ "action": "add", "when": "c1d71d0d9f41db5e4306c86af232f5f6220a130b", "short": "[priority] **The minimum *recommended* Python version has been raised to 3.8**\nSince Python 3.7 has reached end-of-life, support for it will be dropped soon. [Read more](https://github.com/yt-dlp/yt-dlp/issues/7803)" + }, + { + "action": "add", + "when": "61bdf15fc7400601c3da1aa7a43917310a5bf391", + "short": "[priority] Security: [[CVE-2023-40581](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40581)] [Prevent RCE when using `--exec` with `%q` on Windows](https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-42h4-v29r-42qg)\n - The shell escape function is now using `\"\"` instead of `\\\"`.\n - `utils.Popen` has been patched to properly quote commands." } ] |