Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 24 Sep 2015 11:30:16 +0200
From: Florian Weimer <fweimer@...hat.com>
To: oss-security@...ts.openwall.com,
        Assign a CVE Identifier <cve-assign@...re.org>,
        VideoLAN Security Team <security@...eolan.org>
Subject: Re: CVE request: BD-J implementation in libbluray

On 02/23/2015 09:56 AM, Florian Weimer wrote:
> Missing Java Security Manager sandboxing mechanism / feature in the
> org.videolan.BDJLoader class
> 
> Description:
> 
> It was found that org.videolan.BDJLoader class implementation of
> libbluray, a library to access Blu-Ray disks for video playback, was
> missing Java Security Manager sandboxing.  A specially-crafted Java
> application, utilizing the functionality of org.videolan.BDJLoader
> class, could use this missing feature to perform actions as the user
> running the Bluray player application.
> 
> Note: libbluray upstream disables BD-J support by default, but some
> downstreams (like Fedora) pass --enable-bdjava at configure time,
> enabling it for their distribution.
> 
> (This may affect proprietary BD-J implementations as well, I haven't
> investigated this due to lack of hardware and documentation.)

Could we finally get a CVE ID for this?  Thanks.

-- 
Florian Weimer / Red Hat Product Security

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ