devine-dl/pywidevine v1.4.2

on GitHub

• Supported Serve API: v1.4.0 to v1.4.2

Changed

• Sessions in Cdm.open() are now initialized with a unique session number.
• Android Cdm Devices now use a Request ID formula similar to OEMCrypto library when generating a Challenge.
  This formula has yet to be fully confirmed and ironed out, but it is closer than the Chrome Cdm formula.
• Device no longer throws ValueError exceptions on DecodeErrors if it fails to parse the provided Client ID, or
  it's VMP data if any. It will now re-raise DecodeError.

Fixed

• Parsed Proto Messages now go through an elaborate yet efficient verification, it must parse and serialize back to it's
  received form, byte-for-byte, or it will be rejected.
  • This prevents protobuf from parsing a message that could be a different message depending on the starting bytes.
  • It was possible to bypass some minor checks by providing specially crafted messages that parsed as other messages.
    However, I haven't noticed any way where this would lead to a vulnerability or anything bad. It mostly just lead to
    Serve API crashes or just rejected messages down the chain as they wouldn't have the right data within them.