Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 4 Oct 2015 18:36:48 +0200
From: Jean-Baptiste Kempf <jb@...eolan.org>
To: Florian Weimer <fweimer@...hat.com>, oss-security@...ts.openwall.com,
 Assign a CVE Identifier <cve-assign@...re.org>
Subject: Re: CVE request: BD-J implementation in libbluray

On 24/09/2015 11:30, Florian Weimer wrote:
> On 02/23/2015 09:56 AM, Florian Weimer wrote:
>> Missing Java Security Manager sandboxing mechanism / feature in the
>> org.videolan.BDJLoader class
>>
>> Description:
>>
>> It was found that org.videolan.BDJLoader class implementation of
>> libbluray, a library to access Blu-Ray disks for video playback, was
>> missing Java Security Manager sandboxing.  A specially-crafted Java
>> application, utilizing the functionality of org.videolan.BDJLoader
>> class, could use this missing feature to perform actions as the user
>> running the Bluray player application.
>>
>> Note: libbluray upstream disables BD-J support by default, but some
>> downstreams (like Fedora) pass --enable-bdjava at configure time,
>> enabling it for their distribution.
>>
>> (This may affect proprietary BD-J implementations as well, I haven't
>> investigated this due to lack of hardware and documentation.)
>
> Could we finally get a CVE ID for this?  Thanks.

Btw, aren't those security issues fixed now?


-- 
Jean-Baptiste Kempf
http://www.jbkempf.com/ - +33 672 704 734
Sent from my Electronic Device

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ