Your message dated Sun, 3 May 2015 01:59:00 +0200
with message-id <[email protected]>
and subject line Re: Bug#738554: libbluray-bdj security issues
has caused the Debian Bug report #738554,
regarding libbluray-bdj security issues
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
738554: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=738554
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libbluray-bdj
Version: 1:0.5.0-2
Severity: normal



Hi.

AFAIU, BD-J allows BluRays to run some Java code for an "extended experience"...

No even if that was sandboxed... we all know how problematic this is with 
respect
to security and that Java has a really bad record in terms of that.

In the end this probably means, that if installed, more or less arbitrary code
from BluRays (especially video BluRays) may be executed.


I think that at least the package description should clearly warn the user about
that, since many people may not fully realise what BD-J means.

And IMHO it would be even better, if libbluray-bdj was "disabled" by default,
even when installed... like that any function of it simply returns an error,
or that it's not loaded by libbluray unless some configuration file enables it
explicitly.


Cheers,
Chris.

--- End Message ---
--- Begin Message ---
Version: 1:0.8.0-1

On 2014-02-10 17:07:01, Christoph Anton Mitterer wrote:
> AFAIU, BD-J allows BluRays to run some Java code for an "extended 
> experience"...
> 
> No even if that was sandboxed... we all know how problematic this is with 
> respect
> to security and that Java has a really bad record in terms of that.
> 
> In the end this probably means, that if installed, more or less arbitrary code
> from BluRays (especially video BluRays) may be executed.
> 
> 
> I think that at least the package description should clearly warn the user 
> about
> that, since many people may not fully realise what BD-J means.
> 
> And IMHO it would be even better, if libbluray-bdj was "disabled" by default,
> even when installed... like that any function of it simply returns an error,
> or that it's not loaded by libbluray unless some configuration file enables it
> explicitly.

libbluray now implements a Security Manager for BD-J code. From my point of
view, the addition of the SM fixes this general complaint.

Cheers
-- 
Sebastian Ramacher

Attachment: signature.asc
Description: Digital signature


--- End Message ---

Reply via email to