Comment 0 for bug 1317386

There is install-css.sh in libdvdread4 package which downloads and installs libdvdcss package which is needed for playing of DVDs (those infected by DRM CSS technology – probably most of them).

The libdvdcss package is downloaded over unencrypted HTTP protocol and is installed immediately after downloading without any integrity checks. Anybody between the server (download.videolan.org) and the user can modify on-thy-fly this package and add some malware/backdoor into it. This installation equals downloading some untrusted code from the Net and executing it with root permissions (the package can containt post-installation script).

User is not warned (neither in help https://help.ubuntu.com/community/RestrictedFormats/PlayingDVDs nor interactively by the script) that his computer might be infected.

The script MUST verify the digital signature of downloaded package and install it only if it is valid.

The package is already signed:
http://download.videolan.org/pub/debian/stable/stable/libdvdcss_1.2.13-0.dsc
So please verify that the PGP key C0AFF10F (Rafaël Carré) is valid and can be trusted for this purpose. And add signature verification into the install-css.sh script.

Please consult with lawyers also other solution: isn't is possible to distribute DeCSS source code instead of downloading it from an external site? So the subject of distribution will be just data, nothing executable. The compilation will be done by the user on his computer (he will run the same script: install-css.sh). It will not be vulnerable to MITM attack – standard methods for package signing and verification will be used – and it will also be independent from Internet connectivity – it will by possible to install it e.g. from CDs on an offline computer.