Bugzilla Bug 40469

http://www.service.real.com/help/faq/security/040123_player/EN/

Reproducible: Always
Steps to Reproduce:
1.
2.
3.

Carlo
This looks to be for Windows Players only. 
Can you try to find out some more details please.

>"Exploit 2" affects RealOne Player, RealOne Player v2 (all language versions, all platforms)

don't know about exploit 3 - it's not noted

there doesn't seem to be an updated linux binary on their servers yet either...

Jeremy: Sure. That doesn't mean, that Gentoo users do not deserve a warning.
The stable status of the ebuilds shopuld be revoked.

oh I agree 100%.  I only mentioned that because I was hoping someone might know
where (and if) updated linux binaries were released since the real.com website
is a pain to navigate and I might've just missed it somehow.

I'm pasting this here.. 
It's alot easier when we dont have to go chasing down urls 
to get the basic info..


-----------------------------------------------------------------------
RealNetworks, Inc. Releases Update to Address Security Vulnerabilities.

Updated February 4, 2004

RealNetworks, Inc. has recently been made aware of security vulnerabilities that could potentially allow an attacker to run arbitrary code on a user's machine.

The specific exploits were:

    * Exploit 1: To operate remote Javascript from the domain of the URL opened by a SMIL file or other file.
    * Exploit 2: To fashion RMP files which allow an attacker to download and execute arbitrary code on a user's machine.
    * Exploit 3: To fashion media files to create 

I'm pasting this here.. 
It's alot easier when we dont have to go chasing down urls 
to get the basic info..


-----------------------------------------------------------------------
RealNetworks, Inc. Releases Update to Address Security Vulnerabilities.

Updated February 4, 2004

RealNetworks, Inc. has recently been made aware of security vulnerabilities that could potentially allow an attacker to run arbitrary code on a user's machine.

The specific exploits were:

    * Exploit 1: To operate remote Javascript from the domain of the URL opened by a SMIL file or other file.
    * Exploit 2: To fashion RMP files which allow an attacker to download and execute arbitrary code on a user's machine.
    * Exploit 3: To fashion media files to create “Buffer Overrun” errors.

While we have not received reports of anyone actually being attacked with this exploit, all security vulnerabilities are taken very seriously by RealNetworks. RealNetworks has found and fixed the problem.

Affected Software:

    "Exploit 1" affects RealOne Player, RealOne Player v2 for Windows only (all languages), RealPlayer 10 Beta (English only) and RealOne Enterprise Desktop or RealPlayer Enterprise (all versions, standalone and as configured by the RealOne Desktop Manager or RealPlayer Enterprise Manager).

    "Exploit 2" affects RealOne Player, RealOne Player v2 (all language versions, all platforms), and RealOne Enterprise Desktop or RealPlayer Enterprise (all versions, standalone and as configured by the RealOne Desktop Manager or RealPlayer Enterprise Manager).

    "Exploit 3" affects RealOne Player and RealPlayer 8 (all language versions).

Since this is a remote exploit, I agree that the packages should be masked in
portage.

package masked for now..

new revision: 1.2680; previous revision: 1.2679

+# <solar@gentoo.org> (06 Feb 2004)
+# RealPlayer 8 vulnerabilities bug #40469
+media-video/realplayer

Can somebody please make an announcment on the gentoo-announce ml 
and touch base with the GWN guys.

Anybody that's interested in getting this unmasked please contact the 
upstream vendor and request an updated version for linux.

i agree that it should be masked until a solution is found.

@solar: what about media-video/realone ?

Has anybody from Gentoo contacted RealNetworks directly to ask about a security
update for Linux?

Aron
See comment #8

--------------------------------------------------------------------------------

Carlo
Thanks again I was completely unaware that a realone even existed for linux.

Seeing as your one of our best security bug reporters I'd like to request 
that when you report them if you could try to remember to include the category/package name corresponding to a report.

Thanks in advance.

--------------------------------------------------------------------------------
added to the package.mask

new revision: 1.2681; previous revision: 1.2680

-# RealPlayer 8 vulnerabilities bug #40469
+# RealPlayer/RealOne 8 vulnerabilities bug #40469
 media-video/realplayer
+media-video/realone

my last commit was a little unclear so I've reversed around the names.

-# RealPlayer/RealOne 8 vulnerabilities bug #40469
+# RealOne/RealPlayer 8 vulnerabilities bug #40469

i've contacted them and here's the reply i got .. in short, seems like we're
left out in the cold .. 

Hello!
Thank you for contacting RealNetworks Technical Support.

I am sorry to inform you that RealOne Player/RealPlayer 10 and the older
versions are only available for Windows and Macintosh OS X operating systems at
this time. RealNetworks does not release information on future availability or
development of software products.

Visit http://www.real.com or http://www.realnetworks.com for the latest
published information on RealNetworks products.

Additional Information:

At the request of customers in the UNIX community, RealNetworks has provided
RealPlayer software in a variety of Community Supported platforms. 

RealNetworks does not formally support these versions of RealPlayer, however,
we have created a special public forum to provide users of these products with
a way to share their thoughts and experiences. We encourage you to use the
forum for this purpose. 

You may download a Community Supported RealPlayer from the following location:
http://proforma.real.com/real/player/unix/unix.html?

You can access the Community Supported RealPlayer Forum at the following
location:
http://realforum.real.com/cgi-bin/unixplayer/wwwthreads.pl

---------------------------------------

However if you have comments or suggestions, you can submit your feedback by
following the link given below:

URL:
http://www.expressresponse.com/cgi-bin/progsnp/real_fbk/srchjnnp?search_type=surveyreq&search_input=survey_1.html

---------------------------------------

Regards,

Dheeraj Pahlajani
B2K Corp.
RealNetworks Authorized Support Provider



RealOne subscribers can send general account questions by visiting
http://service.real.com/realone/contact/

------- Original Message -------- 
From:            liquidx@gentoo.org
To:              realone@support.real.com
Subject:         Linux Security Updat_ER#1076084591.26972.4#
Date:            02/06/04 08:37:40


Dear Real Customer Support,

I am writing to you via this webform because I cannot find any other contact
information on your website to which I can query about security issues. 

Firstly, I am a developer for Gentoo Linux, a free and opensource
meta-distribution for Linux. We distribute executable instructions for uses to
download and install free and/or open-source libraries and applications.

We have received the annoucement from Real that the current versions of
RealPlayer 8 and RealOne Player are vunerable to maciliously crafted media
files that can execute arbitary code on a user's system[2]. We treat these
reports seriously and have decided to advice users to uninstall realplayer or
realone player from their systems until this vunerability has been resolved.

My question to Real Player Unix support is when (if possible) will there be a
patched version of RealOne Player for Linux and/or RealPlayer 8 for Linux
released that addresses the vunerability[1] ?

We will be willing to provide any information and or help that would allow the
speedy solution to this problem. 

Thank you very much for your time.

Best Regards,

Alastair Tse (liquidx@gentoo.org)

[1] http://service.real.com/help/faq/security/040123_player/EN/
[2] http://bugs.gentoo.org/show_bug.cgi?id=40469 
Search String: real_rec: RealOnePlayer2_0Buy OR RealOnePlayer1_0Buy OR
RealOnePlayer1_0Try OR RealOneServices OR RealOnePlayerOSX OR RealOneMobile OR
BillShipReturn OR Downloading OR Ordering OR Privacy OR
SerialUpgradeSubscription OR RealNetworksCompany OR RealNetworksWebsite: Linux
Security Update

[X] None of the above


THE INFORMATION PROVIDED IN THE REALNETWORKS KNOWLEDGE BASE IS PROVIDED 'AS IS'
WITHOUT WARRANTY OF ANY KIND. REALNETWORKS DISCLAIMS ALL WARRANTIES, EITHER
EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
A PARTICULAR PURPOSE. IN NO EVENT SHALL REALNETWORKS OR ITS SUPPLIERS BE LIABLE
FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
REALNETWORKS OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR
CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.


Copyright c RealNetworks Inc. and/or its licensors, 1995 - 1999 all rights
reserved. RealAudio, RealVideo, RealMedia and RealPlayer are trademarks of
RealNetworks Inc.


---------------------
Instructions to Reply 
---------------------


Your Incident ID number for this request is 53514156

To reply to this message you may simply reply to this email.  (Please do not
modify the subject line)

Grrrrr! That is absolutely bullshit! grrrr!

I don't like the realplayer at all, but their codecs are unfortunately needed for so many websites.

If real doesn't react quickly, we need an alternative. Maybe Mplayer with hacked real-codecs? Or Mplayer with already patched windows-dll's? Ok, last one doesn't help non x86 users... :-(

reverse engineering codecs and dll's is not our job and may even not be 
permitted by license or law. Your more than welcome to start a new
opensource project for such a task, but it's quite simply beyond the
scope of the distribution.

Mplayer can already decode RealAudio/RealVideo formats. No need to hack
anything. There is also mplayer-plugin for browsing internet.

Was this vulnerability announced? There's no issue in forums.g.o/News &
Announcements.

No GLSA sent out.

Well, I talked with Rob Lamphier on the telephone just a few minutes ago to ask
him on the progress of this issue.  I hope we'll hear from Real soon about
possible fixes.

Hi all - the vulnerability announcement you are referring to was specific to
Windows platforms.  That said, I don't yet know the answer to the specific
question of whether or not RealPlayer 8 for Linux or the RealOne Player alpha
for Linux are vulnerable.  I started that ball rolling, but it'll take a bit to
figure it out.

In the meantime, we know for certain that the Helix Player for Linux
(https://player.helixcommunity.org) is not vulnerable.  We also know that
mplayer + our DLLs to play back RealAudio and RealVideo constitutes a violation
of our license agreement, so I recommend against considering that a "solution"
for playing back RealAudio and RealVideo.

>Hi all - the vulnerability announcement you are referring to was specific to Windows platforms. That said, I don't yet know the answer to the specific question of whether or not RealPlayer 8 for Linux or the RealOne Player alpha for Linux are vulnerable.

First, thanks for clearing this up - more or less. Exactly this sort of
statements (the unclear announcement and your "hm, don't know for sure"
comment) is one of the reasons, why I don't feel good using closed source
software.

Hi folks -- sorry this is taking so long.  We're in an awkward transitional
time between our old player (RealPlayer 8) and the new player (Helix Player). 
The problem slipped through the cracks as a result of that.  We'll keep folks
posted...please bug me in a couple of days if you don't hear another update.

Hello folks.. The first two vulnerabilities are not applicable to RP8 for
linux. The third one we are in the process of figuring out the extent to which
it affects RP8(It doesn't affect the new community developed HelixPlayer that
RobLa mentioned earlier) and the appropriate fix.
The HelixPlayer will soon replace RP8.
I will update here as things get figured out.
thanks for your patience!
Vikram Dendi
(Program Manager for Helix Player)

Would it be possible to provide an ebuild for one of the nightly or milestone
builds from https://player.helixcommunity.org?

Perhaps at least as an option for those who need to view Real audio/video
streams but don't want to be exposed to the vulnerabilities recently found?

CC yourself on bug #37372.

Just sent an email to Vikram to get a status update.
-K

Received an quick answer from Vikram :
<< RP8 for Linux is fixed and all that's left is some QA and then updating the bits on the website. I will let you know when that's done. >>

Just sent an email to Vikram for a status update.

actually, um, I forgot to mention -- I've got access to a beta for the new
version, that I'm testing.  I'll release the ebuild as soon as Real.com gives
me the go-ahead.

Thanks

Vikram here. The RP8 build for Linux has been updated.
http://forms.real.com/real/player/unix/unix.html
Koon/Seemant feel free to download/use it if you are satisfied in your testing. RealPlayer10 alpha has also been released (in case you didn't know) with a superset functionality over RP8. So far we have heard that it has been very usable for most folks. 
https://player.helixcommunity.org/2004/downloads/

Also the nightly builds of the helix player for ppc linux should be live today here:
http://forms.helixcommunity.org/helixdnaclient/

Now if only I had a faster box for my gentoo installation :)

Now I'm completely confused. I tried to hunt down the helix versions the
ebuilds in portage want, but wasn't succesful. The odd version numbering, the
confusing page and the need to register (sometimes) doesn't help, either.

Then I grabbed what seems to be realplayer 10 alpha
(realplay-0.3.0.120-linux-2.2-libc6-gcc32-i586.tar.bz2) and played around with
it, with getting either errors

"General error: HXR_SE_INVALID_VERSION (0x80041902) (Server has reached its
capacity and can serve no more streams. Please try again later.

rtsp://cm2.zdv.uni-tuebingen.de/UT_2004/05/26/UT_20040526_001_hoerschaeden_0001.rm320.rm&start=00:00.0)"

or crashes.

Playback of local files seems fine, though. :-/

Waiting for a http://forms.real.com/real/player/unix/unix.html update that
leads to the new build.

I don't know if a helix-based Realplayer 10 is the solution, but right now,
Gentoo has no player that can play realvideo format reliably.  Current helix
isn't allowed to play it, and Mplayer's implementation routinely scrambles
video loses video/audio sync or and locks up mplayer (inconvenient in
fullscreen mode).

On my own machine, removing the mask, any news on other fronts?  Is the mask
actually based on a real exploit?

The mask is based upon an unsolved vulnerability, not an exploit being seen in
the wild. You can unmask the ebuild and do with it, it's still in Portage. You
can also run other Real.com installers outside the portage system.

not sure if the realplayer 10 (helixplayer + closed-source codecs) is a viable
alternative here. comments?

Well, I could say something on the quality of helix player, if I'd get it to
play any movie at all. It doesn't like all kinds of streaming servers I tried,
it  plays sound from hard disk without picture, it plays movie from disk
without sound, ten seconds later it crashes... Perhaps someone else here is
more successful, and I readily admit that it could be my fault.

Oh, and one question: do the other apps using the real codecs know where to
find them if you install them with real10? Seems like they don't.

As the person who submitted the ebuild for Real Player 10, I would definitely
state that it isn't quite ready for prime time.  It probably covers about 85%
of the stuff that I want it to do which is better than what I had before.  The
biggest issue that I have had is that it will not play any of the clips at
amazon.com because they are using an "obsolete" codec that isn't shipped with
Realplayer 10.  I've added my comments to their bug about the codec, but it
doesn't appear that they will add it to the codecs that are shipped with this
version of Real Player.  Other than that I haven't really had any problems with
it.  However, I'm not a heavy media user, and I'm sure that how well it works
is dependent upon the sites and media that various users are trying to access. 

RealPlayer 10 for Linux and Helix Player 1.0 Final released :
https://helixcommunity.org/forum/forum.php?forum_id=145

Hi,

I just found this on real hp:

http://www.service.real.com/help/faq/security/040928_player/EN/

they released security-fix updates of realplayer-10 and helixplayer

Poly

Lars, this is a different bug. Realplayer 10 and Helixplayer don't even support
all closed source Realplayer 8/9/One codecs afaik and the latter ones are not
affected by this bug (at least under Linux). I think you should open a new bug
report, if no one did already. The status of this bug report is clear, so it'll
get low attention.

*** Bug 79347 has been marked as a duplicate of this bug. ***

*** Bug 79345 has been marked as a duplicate of this bug. ***

Please note that new integer overflows hit 8.1, 8.2, 9.0, 9.1, bug 79345 has
details.

What is the status of this?  

1.  Is realplayer 10 available - I keep getting a "it's masked" but the -10 ebuild only has ~x86 in it.  I put ~x86 in /etc/portage/package.keywords and it still won't install.  package.mask talks about RP8 problems - so what it the status of 10?

2.  Does 10 play the RP8 codes?

3.  Is mplayer - as mentioned below a good alternative/

I'm confused <G>>

It's masked because it's listed in the package.mask file :

# RealOne/RealPlayer 8 vulnerabilities bug #40469
media-video/realplayer
media-video/realone

You have to use package.unmask (man portage) to unlock this.

Chris: Apparently you committed the latest realplayer10 recently... If it takes care of all the security issues (including applying the patches from http://www.service.real.com/help/faq/security/040928_player/EN/) then probably you could change the mask to <=media-video/realplayer-10 or something.

Real player 10.0.3 has been stable tested, and I will commit this as the secure
realplayer to be used.  Will wait for the go ahead from solar before removing
the package mask.  Please note that for the same security reasons, realplayer
bundled codecs will be used instead of mplayer's codecs from their site.

Realplayer commited.  Package.mask adjusted for anything less than 10.0.3.

*bump?*

I do not see any reason why we shouldn't close this bug