|Summary:||media-video/realplayer, media-video/realone : buffer overrun|
|Product:||Gentoo Security||Reporter:||Carsten Lohrke (RETIRED) <carlo>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Severity:||enhancement||CC:||chriswhite, dberkholz, emory.taylor, eradicator, gentoo-bugs, hodak, iyosifov, k, ladanyi, liquidx, m.debruijne, mmacleod, polynomial-c, robla, slucy, soulse, tar|
|Whiteboard:||B1 [upstream+ masked] koon|
|Package list:||Runtime testing required:||---|
|Bug Depends on:||51970|
Description Carsten Lohrke (RETIRED) 2004-02-05 06:02:47 UTC
http://www.service.real.com/help/faq/security/040123_player/EN/ Reproducible: Always Steps to Reproduce: 1. 2. 3.
Comment 1 solar (RETIRED) 2004-02-05 06:29:34 UTC
Carlo This looks to be for Windows Players only. Can you try to find out some more details please.
Comment 2 Carsten Lohrke (RETIRED) 2004-02-05 10:08:46 UTC
>"Exploit 2" affects RealOne Player, RealOne Player v2 (all language versions, all platforms) don't know about exploit 3 - it's not noted
Comment 3 Jeremy Huddleston (RETIRED) 2004-02-06 01:28:37 UTC
there doesn't seem to be an updated linux binary on their servers yet either...
Comment 4 Carsten Lohrke (RETIRED) 2004-02-06 02:48:36 UTC
Jeremy: Sure. That doesn't mean, that Gentoo users do not deserve a warning. The stable status of the ebuilds shopuld be revoked.
Comment 5 Jeremy Huddleston (RETIRED) 2004-02-06 02:53:15 UTC
oh I agree 100%. I only mentioned that because I was hoping someone might know where (and if) updated linux binaries were released since the real.com website is a pain to navigate and I might've just missed it somehow.
Comment 6 solar (RETIRED) 2004-02-06 03:25:47 UTC
Comment 7 solar (RETIRED) 2004-02-06 03:25:47 UTC
Comment 8 Kurt Lieber (RETIRED) 2004-02-06 05:03:04 UTC
Since this is a remote exploit, I agree that the packages should be masked in portage.
Comment 9 solar (RETIRED) 2004-02-06 05:39:48 UTC
package masked for now.. new revision: 1.2680; previous revision: 1.2679 +# <email@example.com> (06 Feb 2004) +# RealPlayer 8 vulnerabilities bug #40469 +media-video/realplayer Can somebody please make an announcment on the gentoo-announce ml and touch base with the GWN guys. Anybody that's interested in getting this unmasked please contact the upstream vendor and request an updated version for linux.
Comment 10 Alastair Tse (RETIRED) 2004-02-06 05:46:04 UTC
i agree that it should be masked until a solution is found.
Comment 11 Carsten Lohrke (RETIRED) 2004-02-06 06:01:22 UTC
@solar: what about media-video/realone ?
Comment 12 Aron Griffis (RETIRED) 2004-02-06 07:13:00 UTC
Has anybody from Gentoo contacted RealNetworks directly to ask about a security update for Linux?
Comment 13 solar (RETIRED) 2004-02-06 09:29:27 UTC
Aron See comment #8 -------------------------------------------------------------------------------- Carlo Thanks again I was completely unaware that a realone even existed for linux. Seeing as your one of our best security bug reporters I'd like to request that when you report them if you could try to remember to include the category/package name corresponding to a report. Thanks in advance. -------------------------------------------------------------------------------- added to the package.mask new revision: 1.2681; previous revision: 1.2680 -# RealPlayer 8 vulnerabilities bug #40469 +# RealPlayer/RealOne 8 vulnerabilities bug #40469 media-video/realplayer +media-video/realone
Comment 14 solar (RETIRED) 2004-02-06 09:39:45 UTC
my last commit was a little unclear so I've reversed around the names. -# RealPlayer/RealOne 8 vulnerabilities bug #40469 +# RealOne/RealPlayer 8 vulnerabilities bug #40469
Comment 15 Alastair Tse (RETIRED) 2004-02-06 23:52:16 UTC
i've contacted them and here's the reply i got .. in short, seems like we're left out in the cold .. Hello! Thank you for contacting RealNetworks Technical Support. I am sorry to inform you that RealOne Player/RealPlayer 10 and the older versions are only available for Windows and Macintosh OS X operating systems at this time. RealNetworks does not release information on future availability or development of software products. Visit http://www.real.com or http://www.realnetworks.com for the latest published information on RealNetworks products. Additional Information: At the request of customers in the UNIX community, RealNetworks has provided RealPlayer software in a variety of Community Supported platforms. RealNetworks does not formally support these versions of RealPlayer, however, we have created a special public forum to provide users of these products with a way to share their thoughts and experiences. We encourage you to use the forum for this purpose. You may download a Community Supported RealPlayer from the following location: http://proforma.real.com/real/player/unix/unix.html? You can access the Community Supported RealPlayer Forum at the following location: http://realforum.real.com/cgi-bin/unixplayer/wwwthreads.pl --------------------------------------- However if you have comments or suggestions, you can submit your feedback by following the link given below: URL: http://www.expressresponse.com/cgi-bin/progsnp/real_fbk/srchjnnp?search_type=surveyreq&search_input=survey_1.html --------------------------------------- Regards, Dheeraj Pahlajani B2K Corp. RealNetworks Authorized Support Provider RealOne subscribers can send general account questions by visiting http://service.real.com/realone/contact/ ------- Original Message -------- From: firstname.lastname@example.org To: email@example.com Subject: Linux Security Updat_ER#1076084591.26972.4# Date: 02/06/04 08:37:40 Dear Real Customer Support, I am writing to you via this webform because I cannot find any other contact information on your website to which I can query about security issues. Firstly, I am a developer for Gentoo Linux, a free and opensource meta-distribution for Linux. We distribute executable instructions for uses to download and install free and/or open-source libraries and applications. We have received the annoucement from Real that the current versions of RealPlayer 8 and RealOne Player are vunerable to maciliously crafted media files that can execute arbitary code on a user's system. We treat these reports seriously and have decided to advice users to uninstall realplayer or realone player from their systems until this vunerability has been resolved. My question to Real Player Unix support is when (if possible) will there be a patched version of RealOne Player for Linux and/or RealPlayer 8 for Linux released that addresses the vunerability ? We will be willing to provide any information and or help that would allow the speedy solution to this problem. Thank you very much for your time. Best Regards, Alastair Tse (firstname.lastname@example.org)  http://service.real.com/help/faq/security/040123_player/EN/  http://bugs.gentoo.org/show_bug.cgi?id=40469 Search String: real_rec: RealOnePlayer2_0Buy OR RealOnePlayer1_0Buy OR RealOnePlayer1_0Try OR RealOneServices OR RealOnePlayerOSX OR RealOneMobile OR BillShipReturn OR Downloading OR Ordering OR Privacy OR SerialUpgradeSubscription OR RealNetworksCompany OR RealNetworksWebsite: Linux Security Update [X] None of the above THE INFORMATION PROVIDED IN THE REALNETWORKS KNOWLEDGE BASE IS PROVIDED 'AS IS' WITHOUT WARRANTY OF ANY KIND. REALNETWORKS DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL REALNETWORKS OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF REALNETWORKS OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Copyright c RealNetworks Inc. and/or its licensors, 1995 - 1999 all rights reserved. RealAudio, RealVideo, RealMedia and RealPlayer are trademarks of RealNetworks Inc. --------------------- Instructions to Reply --------------------- Your Incident ID number for this request is 53514156 To reply to this message you may simply reply to this email. (Please do not modify the subject line)
Comment 16 Stefan Briesenick (RETIRED) 2004-02-15 05:23:19 UTC
Grrrrr! That is absolutely bullshit! grrrr! I don't like the realplayer at all, but their codecs are unfortunately needed for so many websites. If real doesn't react quickly, we need an alternative. Maybe Mplayer with hacked real-codecs? Or Mplayer with already patched windows-dll's? Ok, last one doesn't help non x86 users... :-(
Comment 17 solar (RETIRED) 2004-02-15 10:08:10 UTC
reverse engineering codecs and dll's is not our job and may even not be permitted by license or law. Your more than welcome to start a new opensource project for such a task, but it's quite simply beyond the scope of the distribution.
Comment 18 hodak 2004-02-15 13:42:02 UTC
Mplayer can already decode RealAudio/RealVideo formats. No need to hack anything. There is also mplayer-plugin for browsing internet.
Comment 19 Carsten Lohrke (RETIRED) 2004-02-29 15:03:57 UTC
Was this vulnerability announced? There's no issue in forums.g.o/News & Announcements.
Comment 20 solar (RETIRED) 2004-03-17 19:16:21 UTC
No GLSA sent out.
Comment 21 Seemant Kulleen (RETIRED) 2004-03-19 16:28:06 UTC
Well, I talked with Rob Lamphier on the telephone just a few minutes ago to ask him on the progress of this issue. I hope we'll hear from Real soon about possible fixes.
Comment 22 Rob Lanphier 2004-03-19 17:48:10 UTC
Hi all - the vulnerability announcement you are referring to was specific to Windows platforms. That said, I don't yet know the answer to the specific question of whether or not RealPlayer 8 for Linux or the RealOne Player alpha for Linux are vulnerable. I started that ball rolling, but it'll take a bit to figure it out. In the meantime, we know for certain that the Helix Player for Linux (https://player.helixcommunity.org) is not vulnerable. We also know that mplayer + our DLLs to play back RealAudio and RealVideo constitutes a violation of our license agreement, so I recommend against considering that a "solution" for playing back RealAudio and RealVideo.
Comment 23 Carsten Lohrke (RETIRED) 2004-03-20 02:11:25 UTC
>Hi all - the vulnerability announcement you are referring to was specific to Windows platforms. That said, I don't yet know the answer to the specific question of whether or not RealPlayer 8 for Linux or the RealOne Player alpha for Linux are vulnerable. First, thanks for clearing this up - more or less. Exactly this sort of statements (the unclear announcement and your "hm, don't know for sure" comment) is one of the reasons, why I don't feel good using closed source software.
Comment 24 Rob Lanphier 2004-03-23 15:18:45 UTC
Hi folks -- sorry this is taking so long. We're in an awkward transitional time between our old player (RealPlayer 8) and the new player (Helix Player). The problem slipped through the cracks as a result of that. We'll keep folks posted...please bug me in a couple of days if you don't hear another update.
Comment 25 Vikram Dendi 2004-03-29 00:59:23 UTC
Hello folks.. The first two vulnerabilities are not applicable to RP8 for linux. The third one we are in the process of figuring out the extent to which it affects RP8(It doesn't affect the new community developed HelixPlayer that RobLa mentioned earlier) and the appropriate fix. The HelixPlayer will soon replace RP8. I will update here as things get figured out. thanks for your patience! Vikram Dendi (Program Manager for Helix Player)
Comment 26 theboywho 2004-03-31 04:12:22 UTC
Would it be possible to provide an ebuild for one of the nightly or milestone builds from https://player.helixcommunity.org? Perhaps at least as an option for those who need to view Real audio/video streams but don't want to be exposed to the vulnerabilities recently found?
Comment 28 Thierry Carrez (RETIRED) 2004-04-23 08:14:45 UTC
Just sent an email to Vikram to get a status update. -K
Comment 29 Thierry Carrez (RETIRED) 2004-04-24 02:08:37 UTC
Received an quick answer from Vikram : << RP8 for Linux is fixed and all that's left is some QA and then updating the bits on the website. I will let you know when that's done. >>
Comment 30 Thierry Carrez (RETIRED) 2004-05-31 03:27:26 UTC
Just sent an email to Vikram for a status update.
Comment 31 Seemant Kulleen (RETIRED) 2004-05-31 08:37:35 UTC
actually, um, I forgot to mention -- I've got access to a beta for the new version, that I'm testing. I'll release the ebuild as soon as Real.com gives me the go-ahead. Thanks
Comment 32 Vikram Dendi 2004-06-02 21:35:07 UTC
Vikram here. The RP8 build for Linux has been updated. http://forms.real.com/real/player/unix/unix.html Koon/Seemant feel free to download/use it if you are satisfied in your testing. RealPlayer10 alpha has also been released (in case you didn't know) with a superset functionality over RP8. So far we have heard that it has been very usable for most folks. https://player.helixcommunity.org/2004/downloads/ Also the nightly builds of the helix player for ppc linux should be live today here: http://forms.helixcommunity.org/helixdnaclient/ Now if only I had a faster box for my gentoo installation :)
Comment 33 Thomas R. (TRauMa) 2004-06-03 08:35:04 UTC
Now I'm completely confused. I tried to hunt down the helix versions the ebuilds in portage want, but wasn't succesful. The odd version numbering, the confusing page and the need to register (sometimes) doesn't help, either. Then I grabbed what seems to be realplayer 10 alpha (realplay-0.3.0.120-linux-2.2-libc6-gcc32-i586.tar.bz2) and played around with it, with getting either errors "General error: HXR_SE_INVALID_VERSION (0x80041902) (Server has reached its capacity and can serve no more streams. Please try again later. rtsp://cm2.zdv.uni-tuebingen.de/UT_2004/05/26/UT_20040526_001_hoerschaeden_0001.rm320.rm&start=00:00.0)" or crashes. Playback of local files seems fine, though. :-/
Comment 34 Thierry Carrez (RETIRED) 2004-06-07 13:33:07 UTC
Waiting for a http://forms.real.com/real/player/unix/unix.html update that leads to the new build.
Comment 35 bugs 2004-06-24 16:45:53 UTC
I don't know if a helix-based Realplayer 10 is the solution, but right now, Gentoo has no player that can play realvideo format reliably. Current helix isn't allowed to play it, and Mplayer's implementation routinely scrambles video loses video/audio sync or and locks up mplayer (inconvenient in fullscreen mode). On my own machine, removing the mask, any news on other fronts? Is the mask actually based on a real exploit?
Comment 36 Thierry Carrez (RETIRED) 2004-06-25 10:51:30 UTC
The mask is based upon an unsolved vulnerability, not an exploit being seen in the wild. You can unmask the ebuild and do with it, it's still in Portage. You can also run other Real.com installers outside the portage system.
Comment 37 Alastair Tse (RETIRED) 2004-07-01 12:05:57 UTC
not sure if the realplayer 10 (helixplayer + closed-source codecs) is a viable alternative here. comments?
Comment 38 Thomas R. (TRauMa) 2004-07-01 13:40:09 UTC
Well, I could say something on the quality of helix player, if I'd get it to play any movie at all. It doesn't like all kinds of streaming servers I tried, it plays sound from hard disk without picture, it plays movie from disk without sound, ten seconds later it crashes... Perhaps someone else here is more successful, and I readily admit that it could be my fault. Oh, and one question: do the other apps using the real codecs know where to find them if you install them with real10? Seems like they don't.
Comment 39 Paul Varner (RETIRED) 2004-07-01 16:51:49 UTC
As the person who submitted the ebuild for Real Player 10, I would definitely state that it isn't quite ready for prime time. It probably covers about 85% of the stuff that I want it to do which is better than what I had before. The biggest issue that I have had is that it will not play any of the clips at amazon.com because they are using an "obsolete" codec that isn't shipped with Realplayer 10. I've added my comments to their bug about the codec, but it doesn't appear that they will add it to the codecs that are shipped with this version of Real Player. Other than that I haven't really had any problems with it. However, I'm not a heavy media user, and I'm sure that how well it works is dependent upon the sites and media that various users are trying to access.
Comment 40 Thierry Carrez (RETIRED) 2004-08-05 02:00:22 UTC
RealPlayer 10 for Linux and Helix Player 1.0 Final released : https://helixcommunity.org/forum/forum.php?forum_id=145
Comment 41 Lars Wendler (Polynomial-C) 2004-09-29 06:14:52 UTC
Hi, I just found this on real hp: http://www.service.real.com/help/faq/security/040928_player/EN/ they released security-fix updates of realplayer-10 and helixplayer Poly
Comment 42 Carsten Lohrke (RETIRED) 2004-09-29 12:57:47 UTC
Lars, this is a different bug. Realplayer 10 and Helixplayer don't even support all closed source Realplayer 8/9/One codecs afaik and the latter ones are not affected by this bug (at least under Linux). I think you should open a new bug report, if no one did already. The status of this bug report is clear, so it'll get low attention.
Comment 43 Thierry Carrez (RETIRED) 2005-01-25 02:59:41 UTC
*** Bug 79347 has been marked as a duplicate of this bug. ***
Comment 44 Thierry Carrez (RETIRED) 2005-01-25 03:00:06 UTC
*** Bug 79345 has been marked as a duplicate of this bug. ***
Comment 45 Thierry Carrez (RETIRED) 2005-01-25 03:01:07 UTC
Please note that new integer overflows hit 8.1, 8.2, 9.0, 9.1, bug 79345 has details.
Comment 46 Brett I. Holcomb 2005-01-27 19:43:49 UTC
What is the status of this? 1. Is realplayer 10 available - I keep getting a "it's masked" but the -10 ebuild only has ~x86 in it. I put ~x86 in /etc/portage/package.keywords and it still won't install. package.mask talks about RP8 problems - so what it the status of 10? 2. Does 10 play the RP8 codes? 3. Is mplayer - as mentioned below a good alternative/ I'm confused <G>>
Comment 47 Thierry Carrez (RETIRED) 2005-01-28 01:04:33 UTC
It's masked because it's listed in the package.mask file : # RealOne/RealPlayer 8 vulnerabilities bug #40469 media-video/realplayer media-video/realone You have to use package.unmask (man portage) to unlock this. Chris: Apparently you committed the latest realplayer10 recently... If it takes care of all the security issues (including applying the patches from http://www.service.real.com/help/faq/security/040928_player/EN/) then probably you could change the mask to <=media-video/realplayer-10 or something.
Comment 48 Chris White (RETIRED) 2005-03-12 22:23:56 UTC
Real player 10.0.3 has been stable tested, and I will commit this as the secure realplayer to be used. Will wait for the go ahead from solar before removing the package mask. Please note that for the same security reasons, realplayer bundled codecs will be used instead of mplayer's codecs from their site.
Comment 49 Chris White (RETIRED) 2005-03-13 19:41:47 UTC
Realplayer commited. Package.mask adjusted for anything less than 10.0.3.
Comment 50 Chris White (RETIRED) 2005-03-28 20:31:17 UTC
Comment 51 solar (RETIRED) 2005-04-10 10:46:44 UTC
I do not see any reason why we shouldn't close this bug