Re: Re: [videolan] [oss-security] older issues in libbluray

[Tavis Ormandy <taviso () google com>]

On Tue, Feb 24, 2015 at 1:03 PM, Jean-Baptiste Kempf <jb () videolan org> wrote:
> On 24 Feb, Tavis Ormandy wrote :
> > On Mon, Feb 23, 2015 at 7:47 AM, Jean-Baptiste Kempf <jb () videolan org> wrote:
> > > On 23 Feb, Kurt Seifried wrote :
> > > > Again my apologies for this mess. The good news is that all our current
> > > > embargoed flaws (none against VLC currently =) are being actively
> > > > handled (e.g. worked on in a current time frame) and moving forwards we
> > > > should hopefully be able to avoid issues like this.
> > >
> > > One libbluray issue was already fixed.
> > > The second one is not really fixable, since BD-J is actually executing
> > > java code from the outside.
> >
> > Forgive my unfamiliarity with BluRay, but based on what you just said,
> > it seems like the solution is what was described in the report: just
> > use a JSM?
>
> I don't see the JSM mentioned in the bugreport.

I didn't get the bug report, I was referring to the subject Florian
pasted, "missing Java Security Manager sandbox in the BD-J
implementation". If you run untrusted java, you would normally use a
JSM, if you don't use one that does sound like a bug to me.

Sigh, embargoes.

Tavis.