[Touch-packages] [Bug 1317386] Re: Script install-css.sh from libdvdread4 is vulnerable to MITM attack

Mon, 24 Sep 2018 14:35:51 -0700 

The script is no longer part of libdvdread.

** Changed in: libdvdread (Ubuntu)
       Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to libdvdread in Ubuntu.
https://bugs.launchpad.net/bugs/1317386

Title:
  Script install-css.sh from libdvdread4 is vulnerable to MITM attack

Status in libdvdread package in Ubuntu:
  Fix Released

Bug description:
  There is install-css.sh in libdvdread4 package which downloads and
  installs libdvdcss package which is needed for playing of DVDs (those
  infected by DRM CSS technology – probably most of them).

  The libdvdcss package is downloaded over unencrypted HTTP protocol and
  is installed immediately after downloading without any integrity
  checks. Anybody between the server (download.videolan.org) and the
  user can modify on-the-fly this package and add some malware/backdoor
  into it. This installation equals downloading some untrusted code from
  the Net and executing it with root permissions (the package can
  containt post-installation script).

  User is not warned (neither in help
  https://help.ubuntu.com/community/RestrictedFormats/PlayingDVDs nor
  interactively by the script) that his computer might be infected.

  The script MUST verify the digital signature of downloaded package and
  install it only if it is valid.

  The package is already signed:
  http://download.videolan.org/pub/debian/stable/stable/libdvdcss_1.2.13-0.dsc
  So please verify that the PGP key C0AFF10F (Rafaël Carré) is valid and can be 
trusted for this purpose. And add signature verification into the 
install-css.sh script.

  Please consult with lawyers also other solution: isn't is possible to
  distribute DeCSS source code instead of downloading it from an
  external site? So the subject of distribution will be just data,
  nothing executable. The compilation will be done by the user on his
  computer (he will run the same script: install-css.sh). It will not be
  vulnerable to MITM attack – standard methods for package signing and
  verification will be used – and it will also be independent from
  Internet connectivity – it will by possible to install it e.g. from
  CDs on an offline computer.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libdvdread/+bug/1317386/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to