[Bug 22901] New: Clarification regarding a potential CDM capable of running arbitrary code from bugzilla@jessica.w3.org on 2013-08-08 (public-html-media@w3.org from August 2013)

From: <bugzilla@jessica.w3.org>
Date: Thu, 08 Aug 2013 06:32:41 +0000
To: public-html-media@w3.org
Message-ID: <bug-22901-5436@http.www.w3.org/Bugs/Public/>

https://www.w3.org/Bugs/Public/show_bug.cgi?id=22901

            Bug ID: 22901
           Summary: Clarification regarding a potential CDM capable of
                    running arbitrary code
    Classification: Unclassified
           Product: HTML WG
           Version: unspecified
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Encrypted Media Extensions
          Assignee: adrianba@microsoft.com
          Reporter: yoshi@yomols.de
        QA Contact: public-html-bugzilla@w3.org
                CC: mike@w3.org, public-html-media@w3.org

>From my reading of the EME draft, it seems that a CDM which can run arbitrary
code embedded into the media stream would currently be standard compliant. 

Furthermore, the stream of the media_element and the message interface from EME
provide a bi-directional link between an arbitrary server and a (potentially
hijacked) CDM, which runs with the same privileges as the user-agent. This
poses a potential thread to the security of the user's system.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Received on Thursday, 8 August 2013 06:32:42 UTC