Pypi patch/affected version fixes and remove patched version from GHSA-22fp-mf44-f2mq

[rhdesmond]

I tried to make a pull request to GHSA-22fp-mf44-f2mq using the "suggest an improvement" button, but there was an error page when trying to submit the pull request.

I removed the fixed version with the reason "Fixed version is non-existent: https://pypi.org/project/youtube_dl/#history / https://github.com/ytdl-org/youtube-dl/releases". Could someone make this simple change please?

[rhdesmond]

I've also made the following which corrects the GHSA entries to an existing, syntactically correct version that is reflected in the PYSEC advisory database:

#5636
#5637
#5638

[rhdesmond]

I'm not sure why some PRs don't just show updated patched and vulnerable version ranges: feel free to just update these yourself if desired.

[shelbyc]

Hi @rhdesmond, I agree that there isn't a great way to talk about fixed versions of youtube_dl in GHSA-22fp-mf44-f2mq. My teammates and I didn't want to leave a blank spot when a fix was actually available, but neither option for saying which is patched is great. The maintainer advisory GHSA-22fp-mf44-f2mq lists Patched versions as Master code d42a222 or later; nightly builds tagged 2024-07-03 or later. Is it better to use the commit hash as a patched version in this case? Do you have a suggestion for something to use in lieu of the patched version or the nightly build?

[rhdesmond]

Thanks Shelby, I agree that it's an odd scenario.

My recommendation is using the package versions from the Pypi registry as the source of truth as noted in the docs; until a release is on Pypi that contains the patched fix, there is no fixed version. Otherwise we may have to account for N different registries (https://xkcd.com/927/) and data quality issues. The owners can release a new version on Pypi if they want the fixed code publicly reported.

Perhaps the patched information could be noted in a text section? Or if you do want to report the Patched versions maybe doing some sort of commit range is possible too? Though it would be nice to be notified beforehand if a large-scale change like migrating the GHSA database from package version ranges to affected commit ranges is planned.

Thanks for your consideration!

[shelbyc]

After taking some time to think about it, I removed 2024-07-03 from the Patched versions section and added the sentence **Master code d42a222 or later and nightly builds tagged 2024-07-03 or later** contain the remediation. to the global advisory to point users to where they can obtain a patch.

Do you want to receive a credit as an analyst on GHSA-22fp-mf44-f2mq for this conversation? The credit would consist of "@rhdesmond" and your profile picture, which would link to your profile.

[rhdesmond]

It would be an honor (if it's not too much work)! Thank you 🙏

[shelbyc]

@rhdesmond Your credit should appear on GHSA-22fp-mf44-f2mq now. Thanks again for the great conversation and have a good week!