[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE request: BD-J implementation in libbluray
From: Florian Weimer <fweimer () redhat ! com>
Date: 2015-02-23 8:56:39
Message-ID: 54EAEB47.7070106 () redhat ! com
[Download RAW message or body]
Missing Java Security Manager sandboxing mechanism / feature in the
org.videolan.BDJLoader class
Description:
It was found that org.videolan.BDJLoader class implementation of
libbluray, a library to access Blu-Ray disks for video playback, was
missing Java Security Manager sandboxing. A specially-crafted Java
application, utilizing the functionality of org.videolan.BDJLoader
class, could use this missing feature to perform actions as the user
running the Bluray player application.
Note: libbluray upstream disables BD-J support by default, but some
downstreams (like Fedora) pass --enable-bdjava at configure time,
enabling it for their distribution.
(This may affect proprietary BD-J implementations as well, I haven't
investigated this due to lack of hardware and documentation.)
--
Florian Weimer / Red Hat Product Security
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic