[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Re: CVE request: BD-J implementation in libbluray
From:       Florian Weimer <fweimer () redhat ! com>
Date:       2015-02-23 9:31:19
Message-ID: 54EAF367.4030806 () redhat ! com
[Download RAW message or body]

On 02/23/2015 10:27 AM, Jean-Baptiste Kempf wrote:
> On 23 Feb, Florian Weimer wrote :
>> Missing Java Security Manager sandboxing mechanism / feature in the
>> org.videolan.BDJLoader class
> 
> The code corresponding to:
> https://bugzilla.redhat.com/show_bug.cgi?id=959433
> 
> is gone from newer release. You should upgrade, since we don't support
> old releases.

Still needs CVE assignment, though.

> As for https://bugzilla.redhat.com/show_bug.cgi?id=959434
> 
> "Fixing it would not change anything. Xlet (that requests the mount, or is
> being executed from the mount) could as well uncompress the files by self
> where it wants, even download other files from internet."
> 
> So, maybe you want to have a full Xlet sandboxing? Or is it something
> else?

Yes, I do think full sandboxing is required because content publishers
have attacked end user system integrity in the past, so I don't think
they can be trusted.

-- 
Florian Weimer / Red Hat Product Security
[prev in list] [next in list] [prev in thread] [next in thread]