[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] Re: CVE request: BD-J implementation in libbluray
From:       Salvatore Bonaccorso <carnil () debian ! org>
Date:       2015-10-13 14:28:00
Message-ID: 20151013142800.GA683 () eldamar ! local
[Download RAW message or body]

Hi,

Disclaimer: I have not investigated the situation in detail:

On Mon, Oct 12, 2015 at 02:50:56PM -0400, cve-assign@mitre.org wrote:
> In 0.7.0, the configure script has:
> 
>   --enable-bdjava         enable BD-Java support (default is no)
> 
> under "Optional Features" but we didn't find any documentation or
> comments suggesting that --enable-bdjava was recommended for general
> use cases at that time. Apparently, BDJSecurityManager development
> came after 0.7.0.
> 
> In other words, our perspective is that the primary known mistake is
> that the Fedora packaging process chose a non-standard default
> behavior, and either didn't investigate or didn't document the risks.
> If anyone else independently chose --enable-bdjava for their package
> based on 0.7.0 or earlier, then they can have their own CVE ID.

Does that mean that in principle Debian would in principle recieve a
separate CVE ID, since it looks --neable-bdjava was passed there on
the build as well in earlier versions? Cf.

https://sources.debian.net/src/libbluray/1:0.6.2-1/debian/rules/#L4

Regards,
Salvatore
[prev in list] [next in list] [prev in thread] [next in thread]