Remote exploitation of a buffer overflow within RealNetworks' RealPlayer and HelixPlayer allows attackers to execute arbitrary code in the context of the user. The issue specifically exists in the handling of HH:mm:ss.f time formats by the 'wallclock' functionality within the code supporting SMIL2. An excerpt from the code follows. http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=547
media-video, what's the status here? please advise.
I haven't seen any releases from usptream regarding the issue, I'll have to find out what the status is.
*** Bug 189190 has been marked as a duplicate of this bug. ***
https://player.helixcommunity.org/2007/releases/rp10gold/RP10_0_9ReleaseNotes.html What's New in 10.0.9 * This is a security update with a piggy-back bug fix. * Fixed an embedded player crash in some music web sites. No idea if this fixes this one, the above is all they provide. The damned thing is again not downloadable via normal SRC_URI, suggest that we finally stick RESTRICT=fetch into the ebuild and are done with it. https://helixcommunity.org/projects/player/files/download/2479
media-video does 10.0.9 solve the current issue?
media-video/realplayer-10.0.9 in the tree
(In reply to comment #6) > media-video/realplayer-10.0.9 in the tree Now there is such a message: * Download RealPlayer manually from Real's website at * * Please replace ${DOWNLOADPAGE} with ${HOMEPAGE}.
(In reply to comment #7) > (In reply to comment #6) > > media-video/realplayer-10.0.9 in the tree > > Now there is such a message: > * Download RealPlayer manually from Real's website at > * > * > > Please replace ${DOWNLOADPAGE} with ${HOMEPAGE}. > fixed, thanks
x86 please test and mark stable.
x86 stable
glsa request filed.
it's GLSA 200709-05, thanks everybody