Script install-css.sh from libdvdread4 is vulnerable to MITM attack

Bug #1317386 reported by František Kučera on 2014-05-08
262
This bug affects 2 people
Affects Status Importance Assigned to Milestone
libdvdread (Ubuntu)
Undecided
Unassigned

Bug Description

There is install-css.sh in libdvdread4 package which downloads and installs libdvdcss package which is needed for playing of DVDs (those infected by DRM CSS technology – probably most of them).

The libdvdcss package is downloaded over unencrypted HTTP protocol and is installed immediately after downloading without any integrity checks. Anybody between the server (download.videolan.org) and the user can modify on-the-fly this package and add some malware/backdoor into it. This installation equals downloading some untrusted code from the Net and executing it with root permissions (the package can containt post-installation script).

User is not warned (neither in help https://help.ubuntu.com/community/RestrictedFormats/PlayingDVDs nor interactively by the script) that his computer might be infected.

The script MUST verify the digital signature of downloaded package and install it only if it is valid.

The package is already signed:
http://download.videolan.org/pub/debian/stable/stable/libdvdcss_1.2.13-0.dsc
So please verify that the PGP key C0AFF10F (Rafaël Carré) is valid and can be trusted for this purpose. And add signature verification into the install-css.sh script.

Please consult with lawyers also other solution: isn't is possible to distribute DeCSS source code instead of downloading it from an external site? So the subject of distribution will be just data, nothing executable. The compilation will be done by the user on his computer (he will run the same script: install-css.sh). It will not be vulnerable to MITM attack – standard methods for package signing and verification will be used – and it will also be independent from Internet connectivity – it will by possible to install it e.g. from CDs on an offline computer.

information type: Private Security → Public Security
description: updated
Changed in libdvdread (Ubuntu):
status: New → Confirmed
Sebastian Ramacher (s-ramacher) wrote :

The script is no longer part of libdvdread.

Changed in libdvdread (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers