Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 107309 - media-video/{helix,real}player: remotly exploitable format string vulnerability(CAN-2005-2710)
Summary: media-video/{helix,real}player: remotly exploitable format string vulnerabili...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High enhancement (vote)
Assignee: Gentoo Security
URL: http://www.open-security.org/advisori...
Whiteboard: B2 [glsa] jaervosz
Keywords:
Depends on:
Blocks:
 
Reported: 2005-09-26 11:48 UTC by Carsten Lohrke (RETIRED)
Modified: 2006-03-23 22:08 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Carsten Lohrke (RETIRED) gentoo-dev 2005-09-26 11:48:20 UTC
There is a remotly exploitable format string vulnerability in the latest Helix
Media Player suit that will allow an attacker the possibility to execute
malicious code on a victims computer. The exploit code will execute a remote
shell under the permissions of the user running the media player, and effects
all versions of RealPlayer and Helix Player.

The bug is exploitable by abusing media, including .rp (relpix)and .rt
(realtext) file formats. Although others may be effected I stick to realpix file
format for this advisory.

http://www.open-security.org/advisories/13
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2005-09-26 11:57:38 UTC
"Real have been duely informed about this issue and are fixing."
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2005-09-28 00:54:36 UTC
Patch for Helix: in player/common/gtk/hxgerror.cpp:

This line:
err = g_error_new (HX_ERROR, code, message->str);

should become this:
err = g_error_new (HX_ERROR, code, "%s", message->str);

1.0.6 is coming up from Real, but you can start patching...
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2005-10-01 03:10:42 UTC
Please patch Helix, while we wait for a RealPlayer fix...
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2005-10-01 03:23:38 UTC
Linux RealPlayer 10.0.6 is out, bump also needed there.

CAN-2005-2710
http://service.real.com/help/faq/security/050930_player/EN/
http://www.idefense.com/application/poi/display?id=311&type=vulnerabilities&flashstatus=true
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2005-10-04 06:34:40 UTC
realplayer 10.0.6 is up. x86/amd64 please test and mark stable accordingly.
Note: helixplayer still has to be bumped.
Comment 6 Paul Varner (RETIRED) gentoo-dev 2005-10-04 09:16:00 UTC
realplayer 10.0.6 stable on x86
Comment 7 Simon Stelling (RETIRED) gentoo-dev 2005-10-07 05:11:30 UTC
realplayer stable on amd64, sorry for the delay
Comment 8 Thierry Carrez (RETIRED) gentoo-dev 2005-10-07 10:24:39 UTC
Thx everyone, this is GLSA 200510-07
Comment 9 Paul Varner (RETIRED) gentoo-dev 2005-11-21 10:32:48 UTC
It doesn't appear to me that helixplayer ever got bumped to address the
vulnerability.
Comment 10 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-11-21 10:57:04 UTC
You're right Paul:-/ 
 
media-video please provide an updated ebuild.  
Comment 11 Diego Elio Pettenò (RETIRED) gentoo-dev 2005-11-21 11:17:04 UTC
Server down, helixplayer masked, pending removal as it seems more a problem 
than anything else. 
 
Comment 12 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-11-22 13:22:00 UTC
GLSA 200510-07 updated. 
Comment 13 Christie Harris 2006-01-12 19:25:01 UTC
(In reply to comment #11)
> Server down, helixplayer masked, pending removal as it seems more a problem 
> than anything else. 
>  
The server appears to be up. Any chance of getting helixplayer re-added to portage? It appears the 1.0.6 release has been out since september.

https://helixcommunity.org/download.php/1585/hxplay-1.0.6-source.tar.bz2
Comment 14 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-03-22 12:26:33 UTC
media-video any news on this one?
Comment 15 Diego Elio Pettenò (RETIRED) gentoo-dev 2006-03-22 12:40:06 UTC
Realplayer should be updated, helixplayer is removed iirc.
Comment 16 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-03-23 22:08:01 UTC
helixplayer is removed. Resetting severity rating to reflect Realplayer.

Thx everyone.