There is a remotly exploitable format string vulnerability in the latest Helix
Media Player suit that will allow an attacker the possibility to execute
malicious code on a victims computer. The exploit code will execute a remote
shell under the permissions of the user running the media player, and effects
all versions of RealPlayer and Helix Player.
The bug is exploitable by abusing media, including .rp (relpix)and .rt
(realtext) file formats. Although others may be effected I stick to realpix file
format for this advisory.
"Real have been duely informed about this issue and are fixing."
Patch for Helix: in player/common/gtk/hxgerror.cpp:
err = g_error_new (HX_ERROR, code, message->str);
should become this:
err = g_error_new (HX_ERROR, code, "%s", message->str);
1.0.6 is coming up from Real, but you can start patching...
Please patch Helix, while we wait for a RealPlayer fix...
Linux RealPlayer 10.0.6 is out, bump also needed there.
realplayer 10.0.6 is up. x86/amd64 please test and mark stable accordingly.
Note: helixplayer still has to be bumped.
realplayer 10.0.6 stable on x86
realplayer stable on amd64, sorry for the delay
Thx everyone, this is GLSA 200510-07
It doesn't appear to me that helixplayer ever got bumped to address the
You're right Paul:-/
media-video please provide an updated ebuild.
Server down, helixplayer masked, pending removal as it seems more a problem
than anything else.
GLSA 200510-07 updated.
(In reply to comment #11)
> Server down, helixplayer masked, pending removal as it seems more a problem
> than anything else.
The server appears to be up. Any chance of getting helixplayer re-added to portage? It appears the 1.0.6 release has been out since september.
media-video any news on this one?
Realplayer should be updated, helixplayer is removed iirc.
helixplayer is removed. Resetting severity rating to reflect Realplayer.