Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 13 Oct 2015 16:28:00 +0200
From: Salvatore Bonaccorso <carnil@...ian.org>
To: oss-security@...ts.openwall.com
Cc: fweimer@...hat.com, cve-assign@...re.org
Subject: Re: Re: CVE request: BD-J implementation in libbluray

Hi,

Disclaimer: I have not investigated the situation in detail:

On Mon, Oct 12, 2015 at 02:50:56PM -0400, cve-assign@...re.org wrote:
> In 0.7.0, the configure script has:
> 
>   --enable-bdjava         enable BD-Java support (default is no)
> 
> under "Optional Features" but we didn't find any documentation or
> comments suggesting that --enable-bdjava was recommended for general
> use cases at that time. Apparently, BDJSecurityManager development
> came after 0.7.0.
> 
> In other words, our perspective is that the primary known mistake is
> that the Fedora packaging process chose a non-standard default
> behavior, and either didn't investigate or didn't document the risks.
> If anyone else independently chose --enable-bdjava for their package
> based on 0.7.0 or earlier, then they can have their own CVE ID.

Does that mean that in principle Debian would in principle recieve a
separate CVE ID, since it looks --neable-bdjava was passed there on
the build as well in earlier versions? Cf.

https://sources.debian.net/src/libbluray/1:0.6.2-1/debian/rules/#L4

Regards,
Salvatore

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ