Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 183421
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Carsten Lohrke <carlo@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 183421 depends on: Show dependency tree
Bug 183421 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2007-06-27 15:48 0000 
Remote exploitation of a buffer overflow within RealNetworks' RealPlayer and
HelixPlayer allows attackers to execute arbitrary code in the context of the
user.

The issue specifically exists in the handling of HH:mm:ss.f time formats by the
'wallclock' functionality within the code supporting SMIL2. An excerpt from the
code follows.


http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=547

------- Comment #1 From Pierre-Yves Rofes 2007-07-15 15:21:00 0000 ------- 
media-video, what's the status here? please advise.

------- Comment #2 From Steve Dibb 2007-07-15 16:00:10 0000 ------- 
I haven't seen any releases from usptream regarding the issue, I'll have to
find out what the status is.

------- Comment #3 From Jakub Moc (RETIRED) 2007-08-17 06:35:28 0000 ------- 
*** Bug 189190 has been marked as a duplicate of this bug. ***

------- Comment #4 From Jakub Moc (RETIRED) 2007-08-17 06:37:09 0000 ------- 
https://player.helixcommunity.org/2007/releases/rp10gold/RP10_0_9ReleaseNotes.html

What's New in 10.0.9

    * This is a security update with a piggy-back bug fix.
    * Fixed an embedded player crash in some music web sites.

No idea if this fixes this one, the above is all they provide. The damned thing
is again not downloadable via normal SRC_URI, suggest that we finally stick
RESTRICT=fetch into the ebuild and are done with it.

https://helixcommunity.org/projects/player/files/download/2479

------- Comment #5 From Sune Kloppenborg Jeppesen 2007-08-17 21:40:54 0000 ------- 
media-video does 10.0.9 solve the current issue?

------- Comment #6 From Steve Dibb 2007-08-25 14:02:51 0000 ------- 
media-video/realplayer-10.0.9 in the tree

------- Comment #7 From Arfrever Frehtes Taifersar Arahesis 2007-08-26 13:30:17 0000 ------- 
(In reply to comment #6)
> media-video/realplayer-10.0.9 in the tree

Now there is such a message:
 * Download RealPlayer manually from Real's website at
 *
 *

Please replace ${DOWNLOADPAGE} with ${HOMEPAGE}.

------- Comment #8 From Steve Dibb 2007-08-27 13:45:05 0000 ------- 
(In reply to comment #7)
> (In reply to comment #6)
> > media-video/realplayer-10.0.9 in the tree
> 
> Now there is such a message:
>  * Download RealPlayer manually from Real's website at
>  *
>  *
> 
> Please replace ${DOWNLOADPAGE} with ${HOMEPAGE}.
> 

fixed, thanks

------- Comment #9 From Sune Kloppenborg Jeppesen 2007-08-28 19:48:09 0000 ------- 
x86 please test and mark stable.

------- Comment #10 From Jurek Bartuszek 2007-08-28 22:25:14 0000 ------- 
x86 stable

------- Comment #11 From Pierre-Yves Rofes 2007-08-29 10:20:18 0000 ------- 
glsa request filed.

------- Comment #12 From Raphael Marichez 2007-09-14 21:45:22 0000 ------- 
it's GLSA 200709-05, thanks everybody
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug