107309 2005-09-26 11:48 0000 media-video/{helix,real}player: remotly exploitable format string vulnerability(CAN-2005-2710) 2006-03-23 22:08:01 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED http://www.open-security.org/advisories/13 B2 [glsa] jaervosz P2 enhancement --- 1 carlo@gentoo.org security@gentoo.org media-video@gentoo.org carlo@gentoo.org 2005-09-26 11:48:20 0000 There is a remotly exploitable format string vulnerability in the latest Helix Media Player suit that will allow an attacker the possibility to execute malicious code on a victims computer. The exploit code will execute a remote shell under the permissions of the user running the media player, and effects all versions of RealPlayer and Helix Player. The bug is exploitable by abusing media, including .rp (relpix)and .rt (realtext) file formats. Although others may be effected I stick to realpix file format for this advisory. http://www.open-security.org/advisories/13 koon@gentoo.org 2005-09-26 11:57:38 0000 "Real have been duely informed about this issue and are fixing." koon@gentoo.org 2005-09-28 00:54:36 0000 Patch for Helix: in player/common/gtk/hxgerror.cpp: This line: err = g_error_new (HX_ERROR, code, message->str); should become this: err = g_error_new (HX_ERROR, code, "%s", message->str); 1.0.6 is coming up from Real, but you can start patching... koon@gentoo.org 2005-10-01 03:10:42 0000 Please patch Helix, while we wait for a RealPlayer fix... koon@gentoo.org 2005-10-01 03:23:38 0000 Linux RealPlayer 10.0.6 is out, bump also needed there. CAN-2005-2710 http://service.real.com/help/faq/security/050930_player/EN/ http://www.idefense.com/application/poi/display?id=311&type=vulnerabilities&flashstatus=true koon@gentoo.org 2005-10-04 06:34:40 0000 realplayer 10.0.6 is up. x86/amd64 please test and mark stable accordingly. Note: helixplayer still has to be bumped. fuzzyray@gentoo.org 2005-10-04 09:16:00 0000 realplayer 10.0.6 stable on x86 blubb@gentoo.org 2005-10-07 05:11:30 0000 realplayer stable on amd64, sorry for the delay koon@gentoo.org 2005-10-07 10:24:39 0000 Thx everyone, this is GLSA 200510-07 fuzzyray@gentoo.org 2005-11-21 10:32:48 0000 It doesn't appear to me that helixplayer ever got bumped to address the vulnerability. jaervosz@gentoo.org 2005-11-21 10:57:04 0000 You're right Paul:-/ media-video please provide an updated ebuild. flameeyes@gentoo.org 2005-11-21 11:17:04 0000 Server down, helixplayer masked, pending removal as it seems more a problem than anything else. jaervosz@gentoo.org 2005-11-22 13:22:00 0000 GLSA 200510-07 updated. dangle.baby@gmail.com 2006-01-12 19:25:01 0000 (In reply to comment #11) > Server down, helixplayer masked, pending removal as it seems more a problem > than anything else. > The server appears to be up. Any chance of getting helixplayer re-added to portage? It appears the 1.0.6 release has been out since september. https://helixcommunity.org/download.php/1585/hxplay-1.0.6-source.tar.bz2 jaervosz@gentoo.org 2006-03-22 12:26:33 0000 media-video any news on this one? flameeyes@gentoo.org 2006-03-22 12:40:06 0000 Realplayer should be updated, helixplayer is removed iirc. jaervosz@gentoo.org 2006-03-23 22:08:01 0000 helixplayer is removed. Resetting severity rating to reflect Realplayer. Thx everyone.