Date: Tue, 13 Oct 2015 16:28:00 +0200 From: Salvatore Bonaccorso <carnil@...ian.org> To: oss-security@...ts.openwall.com Cc: fweimer@...hat.com, cve-assign@...re.org Subject: Re: Re: CVE request: BD-J implementation in libbluray Hi, Disclaimer: I have not investigated the situation in detail: On Mon, Oct 12, 2015 at 02:50:56PM -0400, cve-assign@...re.org wrote: > In 0.7.0, the configure script has: > > --enable-bdjava enable BD-Java support (default is no) > > under "Optional Features" but we didn't find any documentation or > comments suggesting that --enable-bdjava was recommended for general > use cases at that time. Apparently, BDJSecurityManager development > came after 0.7.0. > > In other words, our perspective is that the primary known mistake is > that the Fedora packaging process chose a non-standard default > behavior, and either didn't investigate or didn't document the risks. > If anyone else independently chose --enable-bdjava for their package > based on 0.7.0 or earlier, then they can have their own CVE ID. Does that mean that in principle Debian would in principle recieve a separate CVE ID, since it looks --neable-bdjava was passed there on the build as well in earlier versions? Cf. https://sources.debian.net/src/libbluray/1:0.6.2-1/debian/rules/#L4 Regards, Salvatore
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ