Gentoo Archives: gentoo-announce

From: Thierry Carrez <koon@g.o>
To: gentoo-announce@l.g.o
Cc: bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com
Subject: [gentoo-announce] [ GLSA 200510-07 ] RealPlayer, Helix Player: Format string vulnerability
Date: Fri, 07 Oct 2005 17:27:40
Message-Id: 4346ACF5.9070206@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 200510-07
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: Normal
8 Title: RealPlayer, Helix Player: Format string vulnerability
9 Date: October 07, 2005
10 Bugs: #107309
11 ID: 200510-07
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 RealPlayer and Helix Player are vulnerable to a format string
19 vulnerability resulting in the execution of arbitrary code.
20
21 Background
22 ==========
23
24 RealPlayer is a multimedia player capable of handling multiple
25 multimedia file formats. Helix Player is an open source media player
26 for Linux.
27
28 Affected packages
29 =================
30
31 -------------------------------------------------------------------
32 Package / Vulnerable / Unaffected
33 -------------------------------------------------------------------
34 1 media-video/realplayer < 10.0.6 >= 10.0.6
35 2 media-video/helixplayer < 1.0.6 >= 1.0.6
36 -------------------------------------------------------------------
37 2 affected packages on all of their supported architectures.
38 -------------------------------------------------------------------
39
40 Description
41 ===========
42
43 "c0ntex" reported that RealPlayer and Helix Player suffer from a heap
44 overflow.
45
46 Impact
47 ======
48
49 By enticing a user to play a specially crafted realpix (.rp) or
50 realtext (.rt) file, an attacker could execute arbitrary code with the
51 permissions of the user running the application.
52
53 Workaround
54 ==========
55
56 There is no known workaround at this time.
57
58 Resolution
59 ==========
60
61 All RealPlayer users should upgrade to the latest version:
62
63 # emerge --sync
64 # emerge --ask --oneshot --verbose ">=media-video/realplayer-10.0.6"
65
66 All Helix Player users should upgrade to the latest version:
67
68 # emerge --sync
69 # emerge --ask --oneshot --verbose ">=media-video/helixplayer-1.0.6"
70
71 References
72 ==========
73
74 [ 1 ] CAN-2005-2710
75 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2710
76
77 Availability
78 ============
79
80 This GLSA and any updates to it are available for viewing at
81 the Gentoo Security Website:
82
83 http://security.gentoo.org/glsa/glsa-200510-07.xml
84
85 Concerns?
86 =========
87
88 Security is a primary focus of Gentoo Linux and ensuring the
89 confidentiality and security of our users machines is of utmost
90 importance to us. Any security concerns should be addressed to
91 security@g.o or alternatively, you may file a bug at
92 http://bugs.gentoo.org.
93
94 License
95 =======
96
97 Copyright 2005 Gentoo Foundation, Inc; referenced text
98 belongs to its owner(s).
99
100 The contents of this document are licensed under the
101 Creative Commons - Attribution / Share Alike license.
102
103 http://creativecommons.org/licenses/by-sa/2.0

Attachments

File name MIME type
signature.asc application/pgp-signature