Date: Sun, 4 Oct 2015 18:36:48 +0200 From: Jean-Baptiste Kempf <jb@...eolan.org> To: Florian Weimer <fweimer@...hat.com>, oss-security@...ts.openwall.com, Assign a CVE Identifier <cve-assign@...re.org> Subject: Re: CVE request: BD-J implementation in libbluray On 24/09/2015 11:30, Florian Weimer wrote: > On 02/23/2015 09:56 AM, Florian Weimer wrote: >> Missing Java Security Manager sandboxing mechanism / feature in the >> org.videolan.BDJLoader class >> >> Description: >> >> It was found that org.videolan.BDJLoader class implementation of >> libbluray, a library to access Blu-Ray disks for video playback, was >> missing Java Security Manager sandboxing. A specially-crafted Java >> application, utilizing the functionality of org.videolan.BDJLoader >> class, could use this missing feature to perform actions as the user >> running the Bluray player application. >> >> Note: libbluray upstream disables BD-J support by default, but some >> downstreams (like Fedora) pass --enable-bdjava at configure time, >> enabling it for their distribution. >> >> (This may affect proprietary BD-J implementations as well, I haven't >> investigated this due to lack of hardware and documentation.) > > Could we finally get a CVE ID for this? Thanks. Btw, aren't those security issues fixed now? -- Jean-Baptiste Kempf http://www.jbkempf.com/ - +33 672 704 734 Sent from my Electronic Device
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ