Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 4 Oct 2015 18:36:48 +0200
From: Jean-Baptiste Kempf <>
To: Florian Weimer <>,,
 Assign a CVE Identifier <>
Subject: Re: CVE request: BD-J implementation in libbluray

On 24/09/2015 11:30, Florian Weimer wrote:
> On 02/23/2015 09:56 AM, Florian Weimer wrote:
>> Missing Java Security Manager sandboxing mechanism / feature in the
>> org.videolan.BDJLoader class
>> Description:
>> It was found that org.videolan.BDJLoader class implementation of
>> libbluray, a library to access Blu-Ray disks for video playback, was
>> missing Java Security Manager sandboxing.  A specially-crafted Java
>> application, utilizing the functionality of org.videolan.BDJLoader
>> class, could use this missing feature to perform actions as the user
>> running the Bluray player application.
>> Note: libbluray upstream disables BD-J support by default, but some
>> downstreams (like Fedora) pass --enable-bdjava at configure time,
>> enabling it for their distribution.
>> (This may affect proprietary BD-J implementations as well, I haven't
>> investigated this due to lack of hardware and documentation.)
> Could we finally get a CVE ID for this?  Thanks.

Btw, aren't those security issues fixed now?

Jean-Baptiste Kempf - +33 672 704 734
Sent from my Electronic Device

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ