[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] CVE request: BD-J implementation in libbluray
From: Florian Weimer <fweimer () redhat ! com>
Date: 2015-09-24 9:30:16
Message-ID: 5603C2A8.3060202 () redhat ! com
[Download RAW message or body]
On 02/23/2015 09:56 AM, Florian Weimer wrote:
> Missing Java Security Manager sandboxing mechanism / feature in the
> org.videolan.BDJLoader class
>
> Description:
>
> It was found that org.videolan.BDJLoader class implementation of
> libbluray, a library to access Blu-Ray disks for video playback, was
> missing Java Security Manager sandboxing. A specially-crafted Java
> application, utilizing the functionality of org.videolan.BDJLoader
> class, could use this missing feature to perform actions as the user
> running the Bluray player application.
>
> Note: libbluray upstream disables BD-J support by default, but some
> downstreams (like Fedora) pass --enable-bdjava at configure time,
> enabling it for their distribution.
>
> (This may affect proprietary BD-J implementations as well, I haven't
> investigated this due to lack of hardware and documentation.)
Could we finally get a CVE ID for this? Thanks.
--
Florian Weimer / Red Hat Product Security
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic