Date: Thu, 24 Sep 2015 11:30:16 +0200 From: Florian Weimer <fweimer@...hat.com> To: oss-security@...ts.openwall.com, Assign a CVE Identifier <cve-assign@...re.org>, VideoLAN Security Team <security@...eolan.org> Subject: Re: CVE request: BD-J implementation in libbluray On 02/23/2015 09:56 AM, Florian Weimer wrote: > Missing Java Security Manager sandboxing mechanism / feature in the > org.videolan.BDJLoader class > > Description: > > It was found that org.videolan.BDJLoader class implementation of > libbluray, a library to access Blu-Ray disks for video playback, was > missing Java Security Manager sandboxing. A specially-crafted Java > application, utilizing the functionality of org.videolan.BDJLoader > class, could use this missing feature to perform actions as the user > running the Bluray player application. > > Note: libbluray upstream disables BD-J support by default, but some > downstreams (like Fedora) pass --enable-bdjava at configure time, > enabling it for their distribution. > > (This may affect proprietary BD-J implementations as well, I haven't > investigated this due to lack of hardware and documentation.) Could we finally get a CVE ID for this? Thanks. -- Florian Weimer / Red Hat Product Security
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ