There is a remotly exploitable format string vulnerability in the latest Helix Media Player suit that will allow an attacker the possibility to execute malicious code on a victims computer. The exploit code will execute a remote shell under the permissions of the user running the media player, and effects all versions of RealPlayer and Helix Player. The bug is exploitable by abusing media, including .rp (relpix)and .rt (realtext) file formats. Although others may be effected I stick to realpix file format for this advisory. http://www.open-security.org/advisories/13
"Real have been duely informed about this issue and are fixing."
Patch for Helix: in player/common/gtk/hxgerror.cpp: This line: err = g_error_new (HX_ERROR, code, message->str); should become this: err = g_error_new (HX_ERROR, code, "%s", message->str); 1.0.6 is coming up from Real, but you can start patching...
Please patch Helix, while we wait for a RealPlayer fix...
Linux RealPlayer 10.0.6 is out, bump also needed there. CAN-2005-2710 http://service.real.com/help/faq/security/050930_player/EN/ http://www.idefense.com/application/poi/display?id=311&type=vulnerabilities&flashstatus=true
realplayer 10.0.6 is up. x86/amd64 please test and mark stable accordingly. Note: helixplayer still has to be bumped.
realplayer 10.0.6 stable on x86
realplayer stable on amd64, sorry for the delay
Thx everyone, this is GLSA 200510-07
It doesn't appear to me that helixplayer ever got bumped to address the vulnerability.
You're right Paul:-/ media-video please provide an updated ebuild.
Server down, helixplayer masked, pending removal as it seems more a problem than anything else.
GLSA 200510-07 updated.
(In reply to comment #11) > Server down, helixplayer masked, pending removal as it seems more a problem > than anything else. > The server appears to be up. Any chance of getting helixplayer re-added to portage? It appears the 1.0.6 release has been out since september. https://helixcommunity.org/download.php/1585/hxplay-1.0.6-source.tar.bz2
media-video any news on this one?
Realplayer should be updated, helixplayer is removed iirc.
helixplayer is removed. Resetting severity rating to reflect Realplayer. Thx everyone.