Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 01 Mar 2015 11:50:34 +0100
From: Florian Weimer <fw@...eb.enyo.de>
To: oss-security@...ts.openwall.com
Subject: Re: Re: CVE request: BD-J implementation in libbluray

* Sven Schwedas:

> On 2015-02-23 10:34, Jean-Baptiste Kempf wrote:
>> On 23 Feb, Florian Weimer wrote :
>>> Yes, I do think full sandboxing is required because content publishers
>>> have attacked end user system integrity in the past, so I don't think
>>> they can be trusted.
>> 
>> BD-J code comes from Blu-Rays. Downloading non-official blurays and
>> executing it is like taking random binaries from internet and running
>> them.
>
> And the Sony rootkit came from official, store-bought discs …

Someone seems to have worked independently on a proof of concept for
this issue:

<https://www.nccgroup.com/en/blog/2015/02/abusing-blu-ray-players-pt-1-sandbox-escapes/>

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ