Bug 183421

Summary:	media-video/realplayer - stack overflow vulnerability (CVE-2007-3410)
Product:	Gentoo Security	Reporter:	Carsten Lohrke (RETIRED) <carlo>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	marktrolley, media-video
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=547
Whiteboard:	B2 [glsa] p-y
Package list:		Runtime testing required:	---

Description Carsten Lohrke (RETIRED) gentoo-dev

2007-06-27 15:48:28 UTC

Remote exploitation of a buffer overflow within RealNetworks' RealPlayer and HelixPlayer allows attackers to execute arbitrary code in the context of the user.

The issue specifically exists in the handling of HH:mm:ss.f time formats by the 'wallclock' functionality within the code supporting SMIL2. An excerpt from the code follows.


http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=547

Comment 1 Pierre-Yves Rofes (RETIRED) gentoo-dev

2007-07-15 15:21:00 UTC

media-video, what's the status here? please advise.

Comment 2 Steve Dibb (RETIRED) gentoo-dev

2007-07-15 16:00:10 UTC

I haven't seen any releases from usptream regarding the issue, I'll have to find out what the status is.

Comment 3 Jakub Moc (RETIRED) gentoo-dev

2007-08-17 06:35:28 UTC

*** Bug 189190 has been marked as a duplicate of this bug. ***

Comment 4 Jakub Moc (RETIRED) gentoo-dev

2007-08-17 06:37:09 UTC

https://player.helixcommunity.org/2007/releases/rp10gold/RP10_0_9ReleaseNotes.html

What's New in 10.0.9

    * This is a security update with a piggy-back bug fix.
    * Fixed an embedded player crash in some music web sites.

No idea if this fixes this one, the above is all they provide. The damned thing is again not downloadable via normal SRC_URI, suggest that we finally stick RESTRICT=fetch into the ebuild and are done with it.

https://helixcommunity.org/projects/player/files/download/2479

Comment 5 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2007-08-17 21:40:54 UTC

media-video does 10.0.9 solve the current issue?

Comment 6 Steve Dibb (RETIRED) gentoo-dev

2007-08-25 14:02:51 UTC

media-video/realplayer-10.0.9 in the tree

Comment 7 Arfrever Frehtes Taifersar Arahesis (RETIRED) gentoo-dev

2007-08-26 13:30:17 UTC

(In reply to comment #6)
> media-video/realplayer-10.0.9 in the tree

Now there is such a message:
 * Download RealPlayer manually from Real's website at
 *
 *

Please replace ${DOWNLOADPAGE} with ${HOMEPAGE}.

Comment 8 Steve Dibb (RETIRED) gentoo-dev

2007-08-27 13:45:05 UTC

(In reply to comment #7)
> (In reply to comment #6)
> > media-video/realplayer-10.0.9 in the tree
> 
> Now there is such a message:
>  * Download RealPlayer manually from Real's website at
>  *
>  *
> 
> Please replace ${DOWNLOADPAGE} with ${HOMEPAGE}.
> 

fixed, thanks

Comment 9 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2007-08-28 19:48:09 UTC

x86 please test and mark stable.

Comment 10 Jurek Bartuszek (RETIRED) gentoo-dev

2007-08-28 22:25:14 UTC

x86 stable

Comment 11 Pierre-Yves Rofes (RETIRED) gentoo-dev

2007-08-29 10:20:18 UTC

glsa request filed.

Comment 12 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2007-09-14 21:45:22 UTC

it's GLSA 200709-05, thanks everybody