Bug#769716: iceweasel: downloads Cisco's OpenH264 video codec
Mike Hommey
mh at glandium.org
Thu Nov 27 15:44:38 UTC 2014
On Thu, Nov 27, 2014 at 03:54:24PM +0100, Christoph Anton Mitterer wrote:
> tags 769716 + security
> tags 769716 grave
> stop
>
> Wow... I've just stumbled over this by accident and this is really
> extremely outrageous.
>
> Adding security tag and raising severity to grave, since no one know
> what's actually contained in that binary blob, one must basically assume
> it's an security breach that tries to install a root-kit.
> And access to a normal user is usually equal to access to root on
> desktop systems - therefore the severity should actually be critical.
>
>
> It's really highly disturbing that something like this could slip into
> Debian, potentially compromising countless of systems.
> And it once more proves the points I've brought up several times on
> debian-devel, that we have some severe problems about downloader
> packages and software that circumvents the package management system.
a) it's not in any release of Debian, and it's not in any upcoming
release of Debian either. It's in a package from experimental.
b) everyone knows what's actually contained in that binary blob, since
it's built from open source code, and the build is (supposed to be)
reproductible.
c) the binary blob is verified against a sha256 checksum downloaded from
a mozilla server through HTTPS with certificate pinning.
So it's not as bad as you make it sound.
And it's not going to stay that way anyways.
Mike
More information about the pkg-mozilla-maintainers
mailing list