183421 2007-06-27 15:48 0000 media-video/realplayer - stack overflow vulnerability (CVE-2007-3410) 2007-09-14 21:45:22 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=547 B2 [glsa] p-y P2 normal --- 1 carlo@gentoo.org security@gentoo.org marktrolley@gmail.com media-video@gentoo.org carlo@gentoo.org 2007-06-27 15:48:28 0000 Remote exploitation of a buffer overflow within RealNetworks' RealPlayer and HelixPlayer allows attackers to execute arbitrary code in the context of the user. The issue specifically exists in the handling of HH:mm:ss.f time formats by the 'wallclock' functionality within the code supporting SMIL2. An excerpt from the code follows. http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=547 py@gentoo.org 2007-07-15 15:21:00 0000 media-video, what's the status here? please advise. beandog@gentoo.org 2007-07-15 16:00:10 0000 I haven't seen any releases from usptream regarding the issue, I'll have to find out what the status is. jakub@gentoo.org 2007-08-17 06:35:28 0000 *** Bug 189190 has been marked as a duplicate of this bug. *** jakub@gentoo.org 2007-08-17 06:37:09 0000 https://player.helixcommunity.org/2007/releases/rp10gold/RP10_0_9ReleaseNotes.html What's New in 10.0.9 * This is a security update with a piggy-back bug fix. * Fixed an embedded player crash in some music web sites. No idea if this fixes this one, the above is all they provide. The damned thing is again not downloadable via normal SRC_URI, suggest that we finally stick RESTRICT=fetch into the ebuild and are done with it. https://helixcommunity.org/projects/player/files/download/2479 jaervosz@gentoo.org 2007-08-17 21:40:54 0000 media-video does 10.0.9 solve the current issue? beandog@gentoo.org 2007-08-25 14:02:51 0000 media-video/realplayer-10.0.9 in the tree arfrever@gentoo.org 2007-08-26 13:30:17 0000 (In reply to comment #6) > media-video/realplayer-10.0.9 in the tree Now there is such a message: * Download RealPlayer manually from Real's website at * * Please replace ${DOWNLOADPAGE} with ${HOMEPAGE}. beandog@gentoo.org 2007-08-27 13:45:05 0000 (In reply to comment #7) > (In reply to comment #6) > > media-video/realplayer-10.0.9 in the tree > > Now there is such a message: > * Download RealPlayer manually from Real's website at > * > * > > Please replace ${DOWNLOADPAGE} with ${HOMEPAGE}. > fixed, thanks jaervosz@gentoo.org 2007-08-28 19:48:09 0000 x86 please test and mark stable. jurek@gentoo.org 2007-08-28 22:25:14 0000 x86 stable py@gentoo.org 2007-08-29 10:20:18 0000 glsa request filed. falco@gentoo.org 2007-09-14 21:45:22 0000 it's GLSA 200709-05, thanks everybody