oss-sec mailing list archives
Re: Re: CVE request: BD-J implementation in libbluray
From: Florian Weimer <fw () deneb enyo de>
Date: Sun, 01 Mar 2015 11:50:34 +0100
* Sven Schwedas:
On 2015-02-23 10:34, Jean-Baptiste Kempf wrote:On 23 Feb, Florian Weimer wrote :Yes, I do think full sandboxing is required because content publishers have attacked end user system integrity in the past, so I don't think they can be trusted.BD-J code comes from Blu-Rays. Downloading non-official blurays and executing it is like taking random binaries from internet and running them.And the Sony rootkit came from official, store-bought discs …
Someone seems to have worked independently on a proof of concept for this issue: <https://www.nccgroup.com/en/blog/2015/02/abusing-blu-ray-players-pt-1-sandbox-escapes/>
Current thread:
- CVE request: BD-J implementation in libbluray Florian Weimer (Feb 23)
- Re: CVE request: BD-J implementation in libbluray Jean-Baptiste Kempf (Feb 23)
- Re: CVE request: BD-J implementation in libbluray Florian Weimer (Feb 23)
- Re: CVE request: BD-J implementation in libbluray Jean-Baptiste Kempf (Feb 23)
- Re: Re: CVE request: BD-J implementation in libbluray Sven Schwedas (Feb 23)
- Re: Re: CVE request: BD-J implementation in libbluray Florian Weimer (Mar 01)
- Re: CVE request: BD-J implementation in libbluray Florian Weimer (Feb 23)
- Re: CVE request: BD-J implementation in libbluray Jean-Baptiste Kempf (Feb 23)