Your message dated Sun, 3 May 2015 02:22:29 +0200
with message-id <[email protected]>
and subject line Re: Bug#738554: libbluray-bdj security issues
has caused the Debian Bug report #738554,
regarding libbluray-bdj security issues
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
738554: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=738554
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libbluray-bdj
Version: 1:0.5.0-2
Severity: normal



Hi.

AFAIU, BD-J allows BluRays to run some Java code for an "extended experience"...

No even if that was sandboxed... we all know how problematic this is with 
respect
to security and that Java has a really bad record in terms of that.

In the end this probably means, that if installed, more or less arbitrary code
from BluRays (especially video BluRays) may be executed.


I think that at least the package description should clearly warn the user about
that, since many people may not fully realise what BD-J means.

And IMHO it would be even better, if libbluray-bdj was "disabled" by default,
even when installed... like that any function of it simply returns an error,
or that it's not loaded by libbluray unless some configuration file enables it
explicitly.


Cheers,
Chris.

--- End Message ---
--- Begin Message ---
On 2015-05-03 02:12:19, Christoph Anton Mitterer wrote:
> Control: reopen -1
> 
> Hey Sebastian.
> 
> On Sun, 2015-05-03 at 01:59 +0200, Sebastian Ramacher wrote: 
> > libbluray now implements a Security Manager for BD-J code. From my point of
> > view, the addition of the SM fixes this general complaint.
> Phew.. I wouldn't think so.
> 
> That would be the first jailing technology where a break-out is
> impossible.
> Sandboxes where much more people work upon than it's probably the case
> for libbluray-bdj are regularly hacked (e.g. Chromium, Firefox, etc.).
> As I've said in the original report.
> 
> 
> So I still think that the package description should include a warning
> what this library actually does, i.e. executing code also specifically
> meant for DRM, written by an industry which is known to intentionally
> hack the systems of people, install rootkits for DRM related
> surveillance, and so on.
> 
> Even better would be, if there was a critical debconf question which
> informs the user, and which defaults to an answer the aborts installing
> the package.
> 
> 
> Even though I wouldn't know of a concrete security hole in this lib or
> in the Security Manager you've mentioned, experience showed that such
> things are a typical entry point for code execution.
> So I think we should pro-actively "warn" users about this.
> 
> Therefore reopening the issue for now, until you decide that you don't
> want to follow the idea with improved package description and/or the
> debconf question.

Closing again.
-- 
Sebastian Ramacher

Attachment: signature.asc
Description: Digital signature


--- End Message ---

Reply via email to