Bug#738554: libbluray-bdj security issues
Fabian Greffrath
fabian at greffrath.com
Sun May 3 07:16:27 UTC 2015
Am Sonntag, den 03.05.2015, 02:12 +0200 schrieb Christoph Anton
Mitterer:
> That would be the first jailing technology where a break-out is
> impossible.
> Sandboxes where much more people work upon than it's probably the case
> for libbluray-bdj are regularly hacked (e.g. Chromium, Firefox, etc.).
> As I've said in the original report.
> [...]
> Even though I wouldn't know of a concrete security hole in this lib or
> in the Security Manager you've mentioned, experience showed that such
> things are a typical entry point for code execution.
> So I think we should pro-actively "warn" users about this.
If we had a bug opened against every package which *by principle* could
hold a security issue, we'd have a lot.
While I think a debconf prompt is absolutely of out of question, I'd
agree that it may be useful to proactively warn users. On the other
hand, libbluray is usually not installed explicitely, but by
dependencies of other packages. So, who is going to read that warning
anyway?
However, what warning added to the package description do you suggest?
- Fabian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/attachments/20150503/31fea80e/attachment-0001.sig>
More information about the pkg-multimedia-maintainers
mailing list