Summary: | <media-libs/libbluray-0.8.1: Missing Java Security Manager sandboxing mechanism / feature in the org.videolan.BDJLoader class | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Kristian Fiskerstrand (RETIRED) <k_f> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | media-video |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.openwall.com/lists/oss-security/2015/02/23/7 | ||
Whiteboard: | C2 [noglsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 604636 | ||
Bug Blocks: |
Description
Kristian Fiskerstrand (RETIRED)
2015-11-03 14:05:36 UTC
All versions in tree are vulnerable. Please advise on how the maintainer or project would like to proceed. This may require removing functionality from the user in a multilib environment. I am tending to close this as resolved:invalid. Reasons: 1) We don't enable BD-J support per default. The user has to manually enable that feature (that's why I am downgrading from B to C). 2) Users who enabled BD-J support should have known how BD-J works (i.e. that BD-J is basically executing arbitrary JAVA files from unknown sources). There's no reason to expect the feature uses some kind of sandboxing. So having some kind of sandboxing is more like a feature request, see http://www.openwall.com/lists/oss-security/2015/10/12/7 3) So for me this isn't a security bug, therefore closing as "invalid" is the only applicable status for me. Agree with Thomas. |