oss-sec mailing list archives
CVE request: BD-J implementation in libbluray
From: Florian Weimer <fweimer () redhat com>
Date: Mon, 23 Feb 2015 09:56:39 +0100
Missing Java Security Manager sandboxing mechanism / feature in the org.videolan.BDJLoader class Description: It was found that org.videolan.BDJLoader class implementation of libbluray, a library to access Blu-Ray disks for video playback, was missing Java Security Manager sandboxing. A specially-crafted Java application, utilizing the functionality of org.videolan.BDJLoader class, could use this missing feature to perform actions as the user running the Bluray player application. Note: libbluray upstream disables BD-J support by default, but some downstreams (like Fedora) pass --enable-bdjava at configure time, enabling it for their distribution. (This may affect proprietary BD-J implementations as well, I haven't investigated this due to lack of hardware and documentation.) -- Florian Weimer / Red Hat Product Security
Current thread:
- CVE request: BD-J implementation in libbluray Florian Weimer (Feb 23)
- Re: CVE request: BD-J implementation in libbluray Jean-Baptiste Kempf (Feb 23)
- Re: CVE request: BD-J implementation in libbluray Florian Weimer (Feb 23)
- Re: CVE request: BD-J implementation in libbluray Jean-Baptiste Kempf (Feb 23)
- Re: Re: CVE request: BD-J implementation in libbluray Sven Schwedas (Feb 23)
- Re: Re: CVE request: BD-J implementation in libbluray Florian Weimer (Mar 01)
- Re: CVE request: BD-J implementation in libbluray Florian Weimer (Feb 23)
- Re: CVE request: BD-J implementation in libbluray Jean-Baptiste Kempf (Feb 23)