Date: Tue, 24 Feb 2015 13:09:17 -0800 From: Tavis Ormandy <taviso@...gle.com> To: Jean-Baptiste Kempf <jb@...eolan.org> Cc: oss-security@...ts.openwall.com, Kurt Seifried <kseifried@...hat.com>, Assign a CVE Identifier <cve-assign@...re.org> Subject: Re: Re: [videolan] older issues in libbluray On Tue, Feb 24, 2015 at 1:03 PM, Jean-Baptiste Kempf <jb@...eolan.org> wrote: > On 24 Feb, Tavis Ormandy wrote : >> On Mon, Feb 23, 2015 at 7:47 AM, Jean-Baptiste Kempf <jb@...eolan.org> wrote: >> > >> > On 23 Feb, Kurt Seifried wrote : >> > > Again my apologies for this mess. The good news is that all our current >> > > embargoed flaws (none against VLC currently =) are being actively >> > > handled (e.g. worked on in a current time frame) and moving forwards we >> > > should hopefully be able to avoid issues like this. >> > >> > One libbluray issue was already fixed. >> > The second one is not really fixable, since BD-J is actually executing >> > java code from the outside. >> >> Forgive my unfamiliarity with BluRay, but based on what you just said, >> it seems like the solution is what was described in the report: just >> use a JSM? > > I don't see the JSM mentioned in the bugreport. > I didn't get the bug report, I was referring to the subject Florian pasted, "missing Java Security Manager sandbox in the BD-J implementation". If you run untrusted java, you would normally use a JSM, if you don't use one that does sound like a bug to me. Sigh, embargoes. Tavis.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ