oss-sec mailing list archives
Re: CVE request: BD-J implementation in libbluray
From: Jean-Baptiste Kempf <jb () videolan org>
Date: Sun, 4 Oct 2015 18:36:48 +0200
On 24/09/2015 11:30, Florian Weimer wrote:
On 02/23/2015 09:56 AM, Florian Weimer wrote:Missing Java Security Manager sandboxing mechanism / feature in the org.videolan.BDJLoader class Description: It was found that org.videolan.BDJLoader class implementation of libbluray, a library to access Blu-Ray disks for video playback, was missing Java Security Manager sandboxing. A specially-crafted Java application, utilizing the functionality of org.videolan.BDJLoader class, could use this missing feature to perform actions as the user running the Bluray player application. Note: libbluray upstream disables BD-J support by default, but some downstreams (like Fedora) pass --enable-bdjava at configure time, enabling it for their distribution. (This may affect proprietary BD-J implementations as well, I haven't investigated this due to lack of hardware and documentation.)Could we finally get a CVE ID for this? Thanks.
Btw, aren't those security issues fixed now? -- Jean-Baptiste Kempf http://www.jbkempf.com/ - +33 672 704 734 Sent from my Electronic Device
Current thread:
- Re: CVE request: BD-J implementation in libbluray Jean-Baptiste Kempf (Oct 04)
- Re: CVE request: BD-J implementation in libbluray Florian Weimer (Oct 05)
- Re: CVE request: BD-J implementation in libbluray Jean-Baptiste Kempf (Nov 03)
- <Possible follow-ups>
- Re: CVE request: BD-J implementation in libbluray cve-assign (Oct 12)
- Re: Re: CVE request: BD-J implementation in libbluray Salvatore Bonaccorso (Oct 13)
- Re: CVE request: BD-J implementation in libbluray Florian Weimer (Oct 05)