Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 232999 - media-libs/win32codecs -multiple vulnerabilities in real codec (CVE-2007-5400)
Summary: media-libs/win32codecs -multiple vulnerabilities in real codec (CVE-2007-5400)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://service.real.com/realplayer/se...
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2008-07-26 15:11 UTC by Carsten Lohrke (RETIRED)
Modified: 2014-12-26 13:28 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Carsten Lohrke (RETIRED) gentoo-dev 2008-07-26 15:11:26 UTC
Assuming that only CVE-2007-5400 of the four vulnerabilities is relevant.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-07-30 00:23:05 UTC
rbu@peanut /var/tmp/portage/media-libs/win32codecs-20071007-r2/work/all-20071007 $ ls -la `grep -l "real.com" *`
-rwxr-xr-x 1 rbu rbu  42K 2005-02-15 20:39 cook.so
-rwxr-xr-x 1 rbu rbu  76K 2002-05-22 19:05 cook.so.6.0
-rwxr-xr-x 1 rbu rbu 314K 2005-02-15 20:40 drvc.so


I guess codecs in that package are just "added" and never really updated. How is that bunch of DLLs and SOs created, and is there a way to recreate it?
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2008-08-19 23:18:09 UTC
ping, media-video?
Comment 3 Steve Dibb (RETIRED) gentoo-dev 2008-08-20 01:20:52 UTC
(In reply to comment #1)
> rbu@peanut
> /var/tmp/portage/media-libs/win32codecs-20071007-r2/work/all-20071007 $ ls -la
> `grep -l "real.com" *`
> -rwxr-xr-x 1 rbu rbu  42K 2005-02-15 20:39 cook.so
> -rwxr-xr-x 1 rbu rbu  76K 2002-05-22 19:05 cook.so.6.0
> -rwxr-xr-x 1 rbu rbu 314K 2005-02-15 20:40 drvc.so
> 
> 
> I guess codecs in that package are just "added" and never really updated. How
> is that bunch of DLLs and SOs created, and is there a way to recreate it?
> 

AFAIK, theyre just copies from binary distributions of the win32 software, assembled by upstream.

Our only option is to pretty much dump support for win32 real codecs, which, considering how it's constantly the source of security issues, doesn't seem like such a bad idea.
Comment 4 Steve Dibb (RETIRED) gentoo-dev 2008-10-28 19:14:43 UTC
(In reply to comment #3)

> Our only option is to pretty much dump support for win32 real codecs, which,
> considering how it's constantly the source of security issues, doesn't seem
> like such a bad idea.
> 

Moving in that actual direction now, see bug 240341 for progress.

win32codecs-20071007-r3 dropped support for real (which will be moved into realcodecs package, and remain unstable), and also put a use.mask for real on the package.
Comment 5 Ulrich Müller gentoo-dev 2013-05-13 16:16:02 UTC
media-libs/win32codecs has been package.masked for removal, see bug 468406.

@Security team: Can this bug be closed, or do you still want to send a GLSA (the "B2" severity level seems to suggest so)?
Comment 6 Ulrich Müller gentoo-dev 2013-06-09 14:35:30 UTC
Package removed.
Comment 7 Chris Reffett (RETIRED) gentoo-dev Security 2013-12-11 01:43:23 UTC
GLSA request filed.
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2013-12-16 13:06:08 UTC
This issue was resolved and addressed in
 GLSA 201312-11 at http://security.gentoo.org/glsa/glsa-201312-11.xml
by GLSA coordinator Sergey Popov (pinkbyte).