Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 564806 (CVE-2015-7810) - <media-libs/libbluray-0.8.1: Missing Java Security Manager sandboxing mechanism / feature in the org.videolan.BDJLoader class
Summary: <media-libs/libbluray-0.8.1: Missing Java Security Manager sandboxing mechani...
Status: RESOLVED FIXED
Alias: CVE-2015-7810
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: C2 [noglsa]
Keywords:
Depends on: 604636
Blocks:
  Show dependency tree
 
Reported: 2015-11-03 14:05 UTC by Kristian Fiskerstrand (RETIRED)
Modified: 2017-09-17 15:41 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-11-03 14:05:36 UTC 
From ${URL}:
It was found that org.videolan.BDJLoader class implementation of
libbluray, a library to access Blu-Ray disks for video playback, was
missing Java Security Manager sandboxing.  A specially-crafted Java
application, utilizing the functionality of org.videolan.BDJLoader
class, could use this missing feature to perform actions as the user
running the Bluray player application.

Note: libbluray upstream disables BD-J support by default, but some
downstreams (like Fedora) pass --enable-bdjava at configure time,
enabling it for their distribution.

From http://www.openwall.com/lists/oss-security/2015/10/12/7 : 
This is a situation in which there may be multiple valid perspectives.
What we're going to do is assign a CVE ID to the Fedora package for
the use of --enable-bdjava at a time when there had not been an
upstream release with default support for BD-J. Use CVE-2015-7810.
...
In other words, our perspective is that the primary known mistake is
that the Fedora packaging process chose a non-standard default
behavior, and either didn't investigate or didn't document the risks.
If anyone else independently chose --enable-bdjava for their package
based on 0.7.0 or earlier, then they can have their own CVE ID.

###
At least libblueray 0.6.2 ebuild is still in tree which enable bdjava when java use flag is specified, and as such is vulnerable to this.
Comment 1 Aaron Bauman (RETIRED) gentoo-dev 2016-02-20 04:31:21 UTC 
All versions in tree are vulnerable.  Please advise on how the maintainer or project would like to proceed.  This may require removing functionality from the user in a multilib environment.
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2017-06-03 19:40:20 UTC 
I am tending to close this as resolved:invalid. Reasons:

1) We don't enable BD-J support per default. The user has to manually enable that feature (that's why I am downgrading from B to C).

2) Users who enabled BD-J support should have known how BD-J works (i.e. that BD-J is basically executing arbitrary JAVA files from unknown sources). There's no reason to expect the feature uses some kind of sandboxing. So having some kind of sandboxing is more like a feature request, see http://www.openwall.com/lists/oss-security/2015/10/12/7

3) So for me this isn't a security bug, therefore closing as "invalid" is the only applicable status for me.
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2017-09-17 15:41:58 UTC 
Agree with Thomas.