The script is no longer part of libdvdread.
** Changed in: libdvdread (Ubuntu)
Status: Confirmed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to libdvdread in Ubuntu.
https://bugs.launchpad.net/bugs/1317386
Title:
Script install-css.sh from libdvdread4 is vulnerable to MITM attack
Status in libdvdread package in Ubuntu:
Fix Released
Bug description:
There is install-css.sh in libdvdread4 package which downloads and
installs libdvdcss package which is needed for playing of DVDs (those
infected by DRM CSS technology – probably most of them).
The libdvdcss package is downloaded over unencrypted HTTP protocol and
is installed immediately after downloading without any integrity
checks. Anybody between the server (download.videolan.org) and the
user can modify on-the-fly this package and add some malware/backdoor
into it. This installation equals downloading some untrusted code from
the Net and executing it with root permissions (the package can
containt post-installation script).
User is not warned (neither in help
https://help.ubuntu.com/community/RestrictedFormats/PlayingDVDs nor
interactively by the script) that his computer might be infected.
The script MUST verify the digital signature of downloaded package and
install it only if it is valid.
The package is already signed:
http://download.videolan.org/pub/debian/stable/stable/libdvdcss_1.2.13-0.dsc
So please verify that the PGP key C0AFF10F (Rafaël Carré) is valid and can be
trusted for this purpose. And add signature verification into the
install-css.sh script.
Please consult with lawyers also other solution: isn't is possible to
distribute DeCSS source code instead of downloading it from an
external site? So the subject of distribution will be just data,
nothing executable. The compilation will be done by the user on his
computer (he will run the same script: install-css.sh). It will not be
vulnerable to MITM attack – standard methods for package signing and
verification will be used – and it will also be independent from
Internet connectivity – it will by possible to install it e.g. from
CDs on an offline computer.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libdvdread/+bug/1317386/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
