Bug#738554: libbluray-bdj security issues
Christoph Anton Mitterer
calestyo at scientia.net
Sun May 3 07:33:01 UTC 2015
On Sun, 2015-05-03 at 09:16 +0200, Fabian Greffrath wrote:
> If we had a bug opened against every package which *by principle* could
> hold a security issue, we'd have a lot.
Well as I've said... I guess one doesn't need to have much imagination
that one can think that a system like BD-J may be abused for attacks.
Any other similar things (where remote code, not distributed by Debian)
gets executed is considered a security risk and typically things move
away from having these enabled at all or at least not without further
asking the user.
Take Java web appelts as an example.
And there it's even usually well known that it's dangerous (while no one
may really notice what BD-J is) AND the Java plugin asks before actually
executing remote code (which is what I'd prefer for libbd-j as well).
> While I think a debconf prompt is absolutely of out of question, I'd
> agree that it may be useful to proactively warn users.
Well, the problem is, as you say, that the package description may not
be read at all...
I mean the best solution would probably be, that the library
(respectively the using program) asks before actually executing BD-J.
But since this is probably not going to happen soon,.. my next best idea
would have been a debconf notice.
And why should that be out of question?! Actually we have quite a number
of packages which fail to install when not answering something "right"
in debconf.
I don't see the problem.
> However, what warning added to the package description do you suggest?
Probably something like:
BD-J is a technology where foreign code provided by the BluRay medium is
executed on the local system.
This code may be even malicious and while it runs in a sandbox, one
should be familiar that there is no absolute guarantee that escaping
that sandbox is impossible.
Cheers,
Chris.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5313 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/attachments/20150503/06dfa334/attachment.bin>
More information about the pkg-multimedia-maintainers
mailing list