Date: Sun, 01 Mar 2015 11:50:34 +0100 From: Florian Weimer <fw@...eb.enyo.de> To: oss-security@...ts.openwall.com Subject: Re: Re: CVE request: BD-J implementation in libbluray * Sven Schwedas: > On 2015-02-23 10:34, Jean-Baptiste Kempf wrote: >> On 23 Feb, Florian Weimer wrote : >>> Yes, I do think full sandboxing is required because content publishers >>> have attacked end user system integrity in the past, so I don't think >>> they can be trusted. >> >> BD-J code comes from Blu-Rays. Downloading non-official blurays and >> executing it is like taking random binaries from internet and running >> them. > > And the Sony rootkit came from official, store-bought discs … Someone seems to have worked independently on a proof of concept for this issue: <https://www.nccgroup.com/en/blog/2015/02/abusing-blu-ray-players-pt-1-sandbox-escapes/>
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ