[core] Prevent RCE when using `--exec` with `%q` (CVE-2024-22423)

The shell escape function now properly escapes `%`, `\\` and `\n`. `utils.Popen` as well as `%q` output template expansion have been patched accordingly. Prior to this fix using `--exec` together with `%q` when on Windows could cause remote code to execute. See https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-hjq6-52gw-2g7p for more details. Authored by: Grub4K
author: Simon Sawicki <contact@grub4k.xyz> 2024-04-08 23:18:04 +0200
committer: Simon Sawicki <contact@grub4k.xyz> 2024-04-09 18:36:13 +0200
commit: ff07792676f404ffff6ee61b5638c9dc1a33a37a (patch)
tree: 6b973d54eeef6c75f80795a3611cf494cc192e4a /devscripts
parent: 216f6a3cb57824e6a3c859649ce058c199b1b247 (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/devscripts/changelog_override.json b/devscripts/changelog_override.json
index 52ddf0613..046060cb2 100644
--- a/devscripts/changelog_override.json
+++ b/devscripts/changelog_override.json
@@ -142,5 +142,10 @@
         "when": "e3a3ed8a981d9395c4859b6ef56cd02bc3148db2",
         "short": "[cleanup:ie] No `from` stdlib imports in extractors",
         "authors": ["pukkandan"]
+    },
+    {
+        "action": "add",
+        "when": "9590cc6b4768e190183d7d071a6c78170889116a",
+        "short": "[priority] Security: [[CVE-2024-22423](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22423)] [Prevent RCE when using `--exec` with `%q` on Windows](https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-hjq6-52gw-2g7p)\n    - The shell escape function now properly escapes `%`, `\\` and `\\n`.\n    - `utils.Popen` has been patched accordingly."
     }
 ]
author	Simon Sawicki <contact@grub4k.xyz>	2024-04-08 23:18:04 +0200
committer	Simon Sawicki <contact@grub4k.xyz>	2024-04-09 18:36:13 +0200
commit	ff07792676f404ffff6ee61b5638c9dc1a33a37a (patch)
tree	6b973d54eeef6c75f80795a3611cf494cc192e4a /devscripts
parent	216f6a3cb57824e6a3c859649ce058c199b1b247 (diff)