http://www.service.real.com/help/faq/security/040123_player/EN/ Reproducible: Always Steps to Reproduce: 1. 2. 3.
Carlo This looks to be for Windows Players only. Can you try to find out some more details please.
>"Exploit 2" affects RealOne Player, RealOne Player v2 (all language versions, all platforms) don't know about exploit 3 - it's not noted
there doesn't seem to be an updated linux binary on their servers yet either...
Jeremy: Sure. That doesn't mean, that Gentoo users do not deserve a warning. The stable status of the ebuilds shopuld be revoked.
oh I agree 100%. I only mentioned that because I was hoping someone might know where (and if) updated linux binaries were released since the real.com website is a pain to navigate and I might've just missed it somehow.
I'm pasting this here.. It's alot easier when we dont have to go chasing down urls to get the basic info.. ----------------------------------------------------------------------- RealNetworks, Inc. Releases Update to Address Security Vulnerabilities. Updated February 4, 2004 RealNetworks, Inc. has recently been made aware of security vulnerabilities that could potentially allow an attacker to run arbitrary code on a user's machine. The specific exploits were: * Exploit 1: To operate remote Javascript from the domain of the URL opened by a SMIL file or other file. * Exploit 2: To fashion RMP files which allow an attacker to download and execute arbitrary code on a user's machine. * Exploit 3: To fashion media files to create
I'm pasting this here.. It's alot easier when we dont have to go chasing down urls to get the basic info.. ----------------------------------------------------------------------- RealNetworks, Inc. Releases Update to Address Security Vulnerabilities. Updated February 4, 2004 RealNetworks, Inc. has recently been made aware of security vulnerabilities that could potentially allow an attacker to run arbitrary code on a user's machine. The specific exploits were: * Exploit 1: To operate remote Javascript from the domain of the URL opened by a SMIL file or other file. * Exploit 2: To fashion RMP files which allow an attacker to download and execute arbitrary code on a user's machine. * Exploit 3: To fashion media files to create Buffer Overrun errors. While we have not received reports of anyone actually being attacked with this exploit, all security vulnerabilities are taken very seriously by RealNetworks. RealNetworks has found and fixed the problem. Affected Software: "Exploit 1" affects RealOne Player, RealOne Player v2 for Windows only (all languages), RealPlayer 10 Beta (English only) and RealOne Enterprise Desktop or RealPlayer Enterprise (all versions, standalone and as configured by the RealOne Desktop Manager or RealPlayer Enterprise Manager). "Exploit 2" affects RealOne Player, RealOne Player v2 (all language versions, all platforms), and RealOne Enterprise Desktop or RealPlayer Enterprise (all versions, standalone and as configured by the RealOne Desktop Manager or RealPlayer Enterprise Manager). "Exploit 3" affects RealOne Player and RealPlayer 8 (all language versions).
Since this is a remote exploit, I agree that the packages should be masked in portage.
package masked for now.. new revision: 1.2680; previous revision: 1.2679 +# <solar@gentoo.org> (06 Feb 2004) +# RealPlayer 8 vulnerabilities bug #40469 +media-video/realplayer Can somebody please make an announcment on the gentoo-announce ml and touch base with the GWN guys. Anybody that's interested in getting this unmasked please contact the upstream vendor and request an updated version for linux.
i agree that it should be masked until a solution is found.
@solar: what about media-video/realone ?
Has anybody from Gentoo contacted RealNetworks directly to ask about a security update for Linux?
Aron See comment #8 -------------------------------------------------------------------------------- Carlo Thanks again I was completely unaware that a realone even existed for linux. Seeing as your one of our best security bug reporters I'd like to request that when you report them if you could try to remember to include the category/package name corresponding to a report. Thanks in advance. -------------------------------------------------------------------------------- added to the package.mask new revision: 1.2681; previous revision: 1.2680 -# RealPlayer 8 vulnerabilities bug #40469 +# RealPlayer/RealOne 8 vulnerabilities bug #40469 media-video/realplayer +media-video/realone
my last commit was a little unclear so I've reversed around the names. -# RealPlayer/RealOne 8 vulnerabilities bug #40469 +# RealOne/RealPlayer 8 vulnerabilities bug #40469
i've contacted them and here's the reply i got .. in short, seems like we're left out in the cold .. Hello! Thank you for contacting RealNetworks Technical Support. I am sorry to inform you that RealOne Player/RealPlayer 10 and the older versions are only available for Windows and Macintosh OS X operating systems at this time. RealNetworks does not release information on future availability or development of software products. Visit http://www.real.com or http://www.realnetworks.com for the latest published information on RealNetworks products. Additional Information: At the request of customers in the UNIX community, RealNetworks has provided RealPlayer software in a variety of Community Supported platforms. RealNetworks does not formally support these versions of RealPlayer, however, we have created a special public forum to provide users of these products with a way to share their thoughts and experiences. We encourage you to use the forum for this purpose. You may download a Community Supported RealPlayer from the following location: http://proforma.real.com/real/player/unix/unix.html? You can access the Community Supported RealPlayer Forum at the following location: http://realforum.real.com/cgi-bin/unixplayer/wwwthreads.pl --------------------------------------- However if you have comments or suggestions, you can submit your feedback by following the link given below: URL: http://www.expressresponse.com/cgi-bin/progsnp/real_fbk/srchjnnp?search_type=surveyreq&search_input=survey_1.html --------------------------------------- Regards, Dheeraj Pahlajani B2K Corp. RealNetworks Authorized Support Provider RealOne subscribers can send general account questions by visiting http://service.real.com/realone/contact/ ------- Original Message -------- From: liquidx@gentoo.org To: realone@support.real.com Subject: Linux Security Updat_ER#1076084591.26972.4# Date: 02/06/04 08:37:40 Dear Real Customer Support, I am writing to you via this webform because I cannot find any other contact information on your website to which I can query about security issues. Firstly, I am a developer for Gentoo Linux, a free and opensource meta-distribution for Linux. We distribute executable instructions for uses to download and install free and/or open-source libraries and applications. We have received the annoucement from Real that the current versions of RealPlayer 8 and RealOne Player are vunerable to maciliously crafted media files that can execute arbitary code on a user's system[2]. We treat these reports seriously and have decided to advice users to uninstall realplayer or realone player from their systems until this vunerability has been resolved. My question to Real Player Unix support is when (if possible) will there be a patched version of RealOne Player for Linux and/or RealPlayer 8 for Linux released that addresses the vunerability[1] ? We will be willing to provide any information and or help that would allow the speedy solution to this problem. Thank you very much for your time. Best Regards, Alastair Tse (liquidx@gentoo.org) [1] http://service.real.com/help/faq/security/040123_player/EN/ [2] http://bugs.gentoo.org/show_bug.cgi?id=40469 Search String: real_rec: RealOnePlayer2_0Buy OR RealOnePlayer1_0Buy OR RealOnePlayer1_0Try OR RealOneServices OR RealOnePlayerOSX OR RealOneMobile OR BillShipReturn OR Downloading OR Ordering OR Privacy OR SerialUpgradeSubscription OR RealNetworksCompany OR RealNetworksWebsite: Linux Security Update [X] None of the above THE INFORMATION PROVIDED IN THE REALNETWORKS KNOWLEDGE BASE IS PROVIDED 'AS IS' WITHOUT WARRANTY OF ANY KIND. REALNETWORKS DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL REALNETWORKS OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF REALNETWORKS OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Copyright c RealNetworks Inc. and/or its licensors, 1995 - 1999 all rights reserved. RealAudio, RealVideo, RealMedia and RealPlayer are trademarks of RealNetworks Inc. --------------------- Instructions to Reply --------------------- Your Incident ID number for this request is 53514156 To reply to this message you may simply reply to this email. (Please do not modify the subject line)
Grrrrr! That is absolutely bullshit! grrrr! I don't like the realplayer at all, but their codecs are unfortunately needed for so many websites. If real doesn't react quickly, we need an alternative. Maybe Mplayer with hacked real-codecs? Or Mplayer with already patched windows-dll's? Ok, last one doesn't help non x86 users... :-(
reverse engineering codecs and dll's is not our job and may even not be permitted by license or law. Your more than welcome to start a new opensource project for such a task, but it's quite simply beyond the scope of the distribution.
Mplayer can already decode RealAudio/RealVideo formats. No need to hack anything. There is also mplayer-plugin for browsing internet.
Was this vulnerability announced? There's no issue in forums.g.o/News & Announcements.
No GLSA sent out.
Well, I talked with Rob Lamphier on the telephone just a few minutes ago to ask him on the progress of this issue. I hope we'll hear from Real soon about possible fixes.
Hi all - the vulnerability announcement you are referring to was specific to Windows platforms. That said, I don't yet know the answer to the specific question of whether or not RealPlayer 8 for Linux or the RealOne Player alpha for Linux are vulnerable. I started that ball rolling, but it'll take a bit to figure it out. In the meantime, we know for certain that the Helix Player for Linux (https://player.helixcommunity.org) is not vulnerable. We also know that mplayer + our DLLs to play back RealAudio and RealVideo constitutes a violation of our license agreement, so I recommend against considering that a "solution" for playing back RealAudio and RealVideo.
>Hi all - the vulnerability announcement you are referring to was specific to Windows platforms. That said, I don't yet know the answer to the specific question of whether or not RealPlayer 8 for Linux or the RealOne Player alpha for Linux are vulnerable. First, thanks for clearing this up - more or less. Exactly this sort of statements (the unclear announcement and your "hm, don't know for sure" comment) is one of the reasons, why I don't feel good using closed source software.
Hi folks -- sorry this is taking so long. We're in an awkward transitional time between our old player (RealPlayer 8) and the new player (Helix Player). The problem slipped through the cracks as a result of that. We'll keep folks posted...please bug me in a couple of days if you don't hear another update.
Hello folks.. The first two vulnerabilities are not applicable to RP8 for linux. The third one we are in the process of figuring out the extent to which it affects RP8(It doesn't affect the new community developed HelixPlayer that RobLa mentioned earlier) and the appropriate fix. The HelixPlayer will soon replace RP8. I will update here as things get figured out. thanks for your patience! Vikram Dendi (Program Manager for Helix Player)
Would it be possible to provide an ebuild for one of the nightly or milestone builds from https://player.helixcommunity.org? Perhaps at least as an option for those who need to view Real audio/video streams but don't want to be exposed to the vulnerabilities recently found?
CC yourself on bug #37372.
Just sent an email to Vikram to get a status update. -K
Received an quick answer from Vikram : << RP8 for Linux is fixed and all that's left is some QA and then updating the bits on the website. I will let you know when that's done. >>
Just sent an email to Vikram for a status update.
actually, um, I forgot to mention -- I've got access to a beta for the new version, that I'm testing. I'll release the ebuild as soon as Real.com gives me the go-ahead. Thanks
Vikram here. The RP8 build for Linux has been updated. http://forms.real.com/real/player/unix/unix.html Koon/Seemant feel free to download/use it if you are satisfied in your testing. RealPlayer10 alpha has also been released (in case you didn't know) with a superset functionality over RP8. So far we have heard that it has been very usable for most folks. https://player.helixcommunity.org/2004/downloads/ Also the nightly builds of the helix player for ppc linux should be live today here: http://forms.helixcommunity.org/helixdnaclient/ Now if only I had a faster box for my gentoo installation :)
Now I'm completely confused. I tried to hunt down the helix versions the ebuilds in portage want, but wasn't succesful. The odd version numbering, the confusing page and the need to register (sometimes) doesn't help, either. Then I grabbed what seems to be realplayer 10 alpha (realplay-0.3.0.120-linux-2.2-libc6-gcc32-i586.tar.bz2) and played around with it, with getting either errors "General error: HXR_SE_INVALID_VERSION (0x80041902) (Server has reached its capacity and can serve no more streams. Please try again later. rtsp://cm2.zdv.uni-tuebingen.de/UT_2004/05/26/UT_20040526_001_hoerschaeden_0001.rm320.rm&start=00:00.0)" or crashes. Playback of local files seems fine, though. :-/
Waiting for a http://forms.real.com/real/player/unix/unix.html update that leads to the new build.
I don't know if a helix-based Realplayer 10 is the solution, but right now, Gentoo has no player that can play realvideo format reliably. Current helix isn't allowed to play it, and Mplayer's implementation routinely scrambles video loses video/audio sync or and locks up mplayer (inconvenient in fullscreen mode). On my own machine, removing the mask, any news on other fronts? Is the mask actually based on a real exploit?
The mask is based upon an unsolved vulnerability, not an exploit being seen in the wild. You can unmask the ebuild and do with it, it's still in Portage. You can also run other Real.com installers outside the portage system.
not sure if the realplayer 10 (helixplayer + closed-source codecs) is a viable alternative here. comments?
Well, I could say something on the quality of helix player, if I'd get it to play any movie at all. It doesn't like all kinds of streaming servers I tried, it plays sound from hard disk without picture, it plays movie from disk without sound, ten seconds later it crashes... Perhaps someone else here is more successful, and I readily admit that it could be my fault. Oh, and one question: do the other apps using the real codecs know where to find them if you install them with real10? Seems like they don't.
As the person who submitted the ebuild for Real Player 10, I would definitely state that it isn't quite ready for prime time. It probably covers about 85% of the stuff that I want it to do which is better than what I had before. The biggest issue that I have had is that it will not play any of the clips at amazon.com because they are using an "obsolete" codec that isn't shipped with Realplayer 10. I've added my comments to their bug about the codec, but it doesn't appear that they will add it to the codecs that are shipped with this version of Real Player. Other than that I haven't really had any problems with it. However, I'm not a heavy media user, and I'm sure that how well it works is dependent upon the sites and media that various users are trying to access.
RealPlayer 10 for Linux and Helix Player 1.0 Final released : https://helixcommunity.org/forum/forum.php?forum_id=145
Hi, I just found this on real hp: http://www.service.real.com/help/faq/security/040928_player/EN/ they released security-fix updates of realplayer-10 and helixplayer Poly
Lars, this is a different bug. Realplayer 10 and Helixplayer don't even support all closed source Realplayer 8/9/One codecs afaik and the latter ones are not affected by this bug (at least under Linux). I think you should open a new bug report, if no one did already. The status of this bug report is clear, so it'll get low attention.
*** Bug 79347 has been marked as a duplicate of this bug. ***
*** Bug 79345 has been marked as a duplicate of this bug. ***
Please note that new integer overflows hit 8.1, 8.2, 9.0, 9.1, bug 79345 has details.
What is the status of this? 1. Is realplayer 10 available - I keep getting a "it's masked" but the -10 ebuild only has ~x86 in it. I put ~x86 in /etc/portage/package.keywords and it still won't install. package.mask talks about RP8 problems - so what it the status of 10? 2. Does 10 play the RP8 codes? 3. Is mplayer - as mentioned below a good alternative/ I'm confused <G>>
It's masked because it's listed in the package.mask file : # RealOne/RealPlayer 8 vulnerabilities bug #40469 media-video/realplayer media-video/realone You have to use package.unmask (man portage) to unlock this. Chris: Apparently you committed the latest realplayer10 recently... If it takes care of all the security issues (including applying the patches from http://www.service.real.com/help/faq/security/040928_player/EN/) then probably you could change the mask to <=media-video/realplayer-10 or something.
Real player 10.0.3 has been stable tested, and I will commit this as the secure realplayer to be used. Will wait for the go ahead from solar before removing the package mask. Please note that for the same security reasons, realplayer bundled codecs will be used instead of mplayer's codecs from their site.
Realplayer commited. Package.mask adjusted for anything less than 10.0.3.
*bump?*
I do not see any reason why we shouldn't close this bug