[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Re: CVE request: BD-J implementation in libbluray
From:       Jean-Baptiste Kempf <jb () videolan ! org>
Date:       2015-02-23 9:34:24
Message-ID: 20150223093424.GA20329 () videolan ! org
[Download RAW message or body]

On 23 Feb, Florian Weimer wrote :
> > As for https://bugzilla.redhat.com/show_bug.cgi?id=959434
> > 
> > "Fixing it would not change anything. Xlet (that requests the mount, or is
> > being executed from the mount) could as well uncompress the files by self
> > where it wants, even download other files from internet."
> > 
> > So, maybe you want to have a full Xlet sandboxing? Or is it something
> > else?
> 
> Yes, I do think full sandboxing is required because content publishers
> have attacked end user system integrity in the past, so I don't think
> they can be trusted.

BD-J code comes from Blu-Rays. Downloading non-official blurays and
executing it is like taking random binaries from internet and running
them.

Patches are welcome, though...


With my kindest regards,

-- 
Jean-Baptiste Kempf
http://www.jbkempf.com/ - +33 672 704 734
Sent from my Electronic Device
[prev in list] [next in list] [prev in thread] [next in thread]