Bug#774800: libav: take measurements not to include or automatically download binary blobs
Christoph Anton Mitterer
calestyo at scientia.net
Wed Jan 7 19:02:13 UTC 2015
Source: libav
Severity: wishlist
Tags: security
Hi.
Apparently upstream has choosen the same stupid way, that Mozilla (see e.g. #769716)
did before to include OpenH264.
AFAICS on a first glance, this is done via downloading the blob distributed by
Cisco, for which no one knows what it really does - whether it's just a player
or NSA's most recent rootkit,... and in fact shortly after Mozilla started with that
infiltration a remotely exploitable hole was found in OpenH264 - shame be to him who
thinks evil of it.
Now allegedly these builds would be reproducible, but in reality that doesn't
seem to work (and I found so far no one who confirmed he was able to do so)... but
even if it would work, Debian would have to secure that for every new version,
i.e. reproduce the build, hard-code the hash of that build in the package and verify
it when the blob is downloaded.
So if libav actually goes that downloader way, then please disable this already in
advance (i.e. before the first systems are compromised with possible insecure blobs,
as it was the case with the iceweasel packages) and use the system library.
Cheers,
Chris.
[0] https://git.libav.org/?p=libav.git;a=commit;h=8a3d9ca603f4d15ecaa9ca379cbaab4ecaec8ce4&utm_source=anzwix
More information about the pkg-multimedia-maintainers
mailing list