Script install-css.sh from libdvdread4 is vulnerable to MITM attack
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libdvdread (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
There is install-css.sh in libdvdread4 package which downloads and installs libdvdcss package which is needed for playing of DVDs (those infected by DRM CSS technology – probably most of them).
The libdvdcss package is downloaded over unencrypted HTTP protocol and is installed immediately after downloading without any integrity checks. Anybody between the server (download.
User is not warned (neither in help https:/
The script MUST verify the digital signature of downloaded package and install it only if it is valid.
The package is already signed:
http://
So please verify that the PGP key C0AFF10F (Rafaël Carré) is valid and can be trusted for this purpose. And add signature verification into the install-css.sh script.
Please consult with lawyers also other solution: isn't is possible to distribute DeCSS source code instead of downloading it from an external site? So the subject of distribution will be just data, nothing executable. The compilation will be done by the user on his computer (he will run the same script: install-css.sh). It will not be vulnerable to MITM attack – standard methods for package signing and verification will be used – and it will also be independent from Internet connectivity – it will by possible to install it e.g. from CDs on an offline computer.
information type: | Private Security → Public Security |
description: | updated |
Changed in libdvdread (Ubuntu): | |
status: | New → Confirmed |
The script is no longer part of libdvdread.