Source: libav Severity: wishlist Tags: security
Hi. Apparently upstream has choosen the same stupid way, that Mozilla (see e.g. #769716) did before to include OpenH264. AFAICS on a first glance, this is done via downloading the blob distributed by Cisco, for which no one knows what it really does - whether it's just a player or NSA's most recent rootkit,... and in fact shortly after Mozilla started with that infiltration a remotely exploitable hole was found in OpenH264 - shame be to him who thinks evil of it. Now allegedly these builds would be reproducible, but in reality that doesn't seem to work (and I found so far no one who confirmed he was able to do so)... but even if it would work, Debian would have to secure that for every new version, i.e. reproduce the build, hard-code the hash of that build in the package and verify it when the blob is downloaded. So if libav actually goes that downloader way, then please disable this already in advance (i.e. before the first systems are compromised with possible insecure blobs, as it was the case with the iceweasel packages) and use the system library. Cheers, Chris. [0] https://git.libav.org/?p=libav.git;a=commit;h=8a3d9ca603f4d15ecaa9ca379cbaab4ecaec8ce4&utm_source=anzwix _______________________________________________ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
