Bug#738554: libbluray-bdj security issues

Christoph Anton Mitterer calestyo at scientia.net
Sun May 3 00:12:19 UTC 2015


Control: reopen -1

Hey Sebastian.

On Sun, 2015-05-03 at 01:59 +0200, Sebastian Ramacher wrote: 
> libbluray now implements a Security Manager for BD-J code. From my point of
> view, the addition of the SM fixes this general complaint.
Phew.. I wouldn't think so.

That would be the first jailing technology where a break-out is
impossible.
Sandboxes where much more people work upon than it's probably the case
for libbluray-bdj are regularly hacked (e.g. Chromium, Firefox, etc.).
As I've said in the original report.


So I still think that the package description should include a warning
what this library actually does, i.e. executing code also specifically
meant for DRM, written by an industry which is known to intentionally
hack the systems of people, install rootkits for DRM related
surveillance, and so on.

Even better would be, if there was a critical debconf question which
informs the user, and which defaults to an answer the aborts installing
the package.


Even though I wouldn't know of a concrete security hole in this lib or
in the Security Manager you've mentioned, experience showed that such
things are a typical entry point for code execution.
So I think we should pro-actively "warn" users about this.

Therefore reopening the issue for now, until you decide that you don't
want to follow the idea with improved package description and/or the
debconf question.


Cheers,
Chris.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5313 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/attachments/20150503/659dd578/attachment.bin>


More information about the pkg-multimedia-maintainers mailing list