oss-sec mailing list archives
Re: CVE request: BD-J implementation in libbluray
From: Florian Weimer <fweimer () redhat com>
Date: Thu, 24 Sep 2015 11:30:16 +0200
On 02/23/2015 09:56 AM, Florian Weimer wrote:
Missing Java Security Manager sandboxing mechanism / feature in the org.videolan.BDJLoader class Description: It was found that org.videolan.BDJLoader class implementation of libbluray, a library to access Blu-Ray disks for video playback, was missing Java Security Manager sandboxing. A specially-crafted Java application, utilizing the functionality of org.videolan.BDJLoader class, could use this missing feature to perform actions as the user running the Bluray player application. Note: libbluray upstream disables BD-J support by default, but some downstreams (like Fedora) pass --enable-bdjava at configure time, enabling it for their distribution. (This may affect proprietary BD-J implementations as well, I haven't investigated this due to lack of hardware and documentation.)
Could we finally get a CVE ID for this? Thanks. -- Florian Weimer / Red Hat Product Security
Current thread:
- Re: CVE request: BD-J implementation in libbluray Florian Weimer (Sep 24)