Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 40469 - media-video/realplayer, media-video/realone : buffer overrun
Summary: media-video/realplayer, media-video/realone : buffer overrun
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High enhancement (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B1 [upstream+ masked] koon
Keywords:
: 79345 79347 (view as bug list)
Depends on: 51970
Blocks: 31034
  Show dependency tree
 
Reported: 2004-02-05 06:02 UTC by Carsten Lohrke (RETIRED)
Modified: 2005-04-10 10:46 UTC (History)
17 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Carsten Lohrke (RETIRED) gentoo-dev 2004-02-05 06:02:47 UTC
http://www.service.real.com/help/faq/security/040123_player/EN/

Reproducible: Always
Steps to Reproduce:
1.
2.
3.
Comment 1 solar (RETIRED) gentoo-dev 2004-02-05 06:29:34 UTC
Carlo
This looks to be for Windows Players only. 
Can you try to find out some more details please.
Comment 2 Carsten Lohrke (RETIRED) gentoo-dev 2004-02-05 10:08:46 UTC
>"Exploit 2" affects RealOne Player, RealOne Player v2 (all language versions, all platforms)

don't know about exploit 3 - it's not noted
Comment 3 Jeremy Huddleston (RETIRED) gentoo-dev 2004-02-06 01:28:37 UTC
there doesn't seem to be an updated linux binary on their servers yet either...
Comment 4 Carsten Lohrke (RETIRED) gentoo-dev 2004-02-06 02:48:36 UTC
Jeremy: Sure. That doesn't mean, that Gentoo users do not deserve a warning. The stable status of the ebuilds shopuld be revoked.
Comment 5 Jeremy Huddleston (RETIRED) gentoo-dev 2004-02-06 02:53:15 UTC
oh I agree 100%.  I only mentioned that because I was hoping someone might know where (and if) updated linux binaries were released since the real.com website is a pain to navigate and I might've just missed it somehow.
Comment 6 solar (RETIRED) gentoo-dev 2004-02-06 03:25:47 UTC
I'm pasting this here.. 
It's alot easier when we dont have to go chasing down urls 
to get the basic info..


-----------------------------------------------------------------------
RealNetworks, Inc. Releases Update to Address Security Vulnerabilities.

Updated February 4, 2004

RealNetworks, Inc. has recently been made aware of security vulnerabilities that could potentially allow an attacker to run arbitrary code on a user's machine.

The specific exploits were:

    * Exploit 1: To operate remote Javascript from the domain of the URL opened by a SMIL file or other file.
    * Exploit 2: To fashion RMP files which allow an attacker to download and execute arbitrary code on a user's machine.
    * Exploit 3: To fashion media files to create 
Comment 7 solar (RETIRED) gentoo-dev 2004-02-06 03:25:47 UTC
I'm pasting this here.. 
It's alot easier when we dont have to go chasing down urls 
to get the basic info..


-----------------------------------------------------------------------
RealNetworks, Inc. Releases Update to Address Security Vulnerabilities.

Updated February 4, 2004

RealNetworks, Inc. has recently been made aware of security vulnerabilities that could potentially allow an attacker to run arbitrary code on a user's machine.

The specific exploits were:

    * Exploit 1: To operate remote Javascript from the domain of the URL opened by a SMIL file or other file.
    * Exploit 2: To fashion RMP files which allow an attacker to download and execute arbitrary code on a user's machine.
    * Exploit 3: To fashion media files to create Buffer Overrun errors.

While we have not received reports of anyone actually being attacked with this exploit, all security vulnerabilities are taken very seriously by RealNetworks. RealNetworks has found and fixed the problem.

Affected Software:

    "Exploit 1" affects RealOne Player, RealOne Player v2 for Windows only (all languages), RealPlayer 10 Beta (English only) and RealOne Enterprise Desktop or RealPlayer Enterprise (all versions, standalone and as configured by the RealOne Desktop Manager or RealPlayer Enterprise Manager).

    "Exploit 2" affects RealOne Player, RealOne Player v2 (all language versions, all platforms), and RealOne Enterprise Desktop or RealPlayer Enterprise (all versions, standalone and as configured by the RealOne Desktop Manager or RealPlayer Enterprise Manager).

    "Exploit 3" affects RealOne Player and RealPlayer 8 (all language versions).

Comment 8 Kurt Lieber (RETIRED) gentoo-dev 2004-02-06 05:03:04 UTC
Since this is a remote exploit, I agree that the packages should be masked in portage.
Comment 9 solar (RETIRED) gentoo-dev 2004-02-06 05:39:48 UTC
package masked for now..

new revision: 1.2680; previous revision: 1.2679

+# <solar@gentoo.org> (06 Feb 2004)
+# RealPlayer 8 vulnerabilities bug #40469
+media-video/realplayer

Can somebody please make an announcment on the gentoo-announce ml 
and touch base with the GWN guys.

Anybody that's interested in getting this unmasked please contact the 
upstream vendor and request an updated version for linux.
Comment 10 Alastair Tse (RETIRED) gentoo-dev 2004-02-06 05:46:04 UTC
i agree that it should be masked until a solution is found.
Comment 11 Carsten Lohrke (RETIRED) gentoo-dev 2004-02-06 06:01:22 UTC
@solar: what about media-video/realone ?
Comment 12 Aron Griffis (RETIRED) gentoo-dev 2004-02-06 07:13:00 UTC
Has anybody from Gentoo contacted RealNetworks directly to ask about a security update for Linux?
Comment 13 solar (RETIRED) gentoo-dev 2004-02-06 09:29:27 UTC
Aron
See comment #8

--------------------------------------------------------------------------------

Carlo
Thanks again I was completely unaware that a realone even existed for linux.

Seeing as your one of our best security bug reporters I'd like to request 
that when you report them if you could try to remember to include the category/package name corresponding to a report.

Thanks in advance.

--------------------------------------------------------------------------------
added to the package.mask

new revision: 1.2681; previous revision: 1.2680

-# RealPlayer 8 vulnerabilities bug #40469
+# RealPlayer/RealOne 8 vulnerabilities bug #40469
 media-video/realplayer
+media-video/realone
Comment 14 solar (RETIRED) gentoo-dev 2004-02-06 09:39:45 UTC
my last commit was a little unclear so I've reversed around the names.

-# RealPlayer/RealOne 8 vulnerabilities bug #40469
+# RealOne/RealPlayer 8 vulnerabilities bug #40469
Comment 15 Alastair Tse (RETIRED) gentoo-dev 2004-02-06 23:52:16 UTC
i've contacted them and here's the reply i got .. in short, seems like we're left out in the cold .. 

Hello!
Thank you for contacting RealNetworks Technical Support.

I am sorry to inform you that RealOne Player/RealPlayer 10 and the older versions are only available for Windows and Macintosh OS X operating systems at this time. RealNetworks does not release information on future availability or development of software products.

Visit http://www.real.com or http://www.realnetworks.com for the latest published information on RealNetworks products.

Additional Information:

At the request of customers in the UNIX community, RealNetworks has provided RealPlayer software in a variety of Community Supported platforms. 

RealNetworks does not formally support these versions of RealPlayer, however, we have created a special public forum to provide users of these products with a way to share their thoughts and experiences. We encourage you to use the forum for this purpose. 

You may download a Community Supported RealPlayer from the following location:
http://proforma.real.com/real/player/unix/unix.html?

You can access the Community Supported RealPlayer Forum at the following location:
http://realforum.real.com/cgi-bin/unixplayer/wwwthreads.pl

---------------------------------------

However if you have comments or suggestions, you can submit your feedback by following the link given below:

URL: http://www.expressresponse.com/cgi-bin/progsnp/real_fbk/srchjnnp?search_type=surveyreq&search_input=survey_1.html

---------------------------------------

Regards,

Dheeraj Pahlajani
B2K Corp.
RealNetworks Authorized Support Provider



RealOne subscribers can send general account questions by visiting http://service.real.com/realone/contact/

------- Original Message -------- 
From:		 liquidx@gentoo.org
To:		 realone@support.real.com
Subject:	 Linux Security Updat_ER#1076084591.26972.4#
Date:		 02/06/04 08:37:40


Dear Real Customer Support,

I am writing to you via this webform because I cannot find any other contact information on your website to which I can query about security issues. 

Firstly, I am a developer for Gentoo Linux, a free and opensource meta-distribution for Linux. We distribute executable instructions for uses to download and install free and/or open-source libraries and applications.

We have received the annoucement from Real that the current versions of RealPlayer 8 and RealOne Player are vunerable to maciliously crafted media files that can execute arbitary code on a user's system[2]. We treat these reports seriously and have decided to advice users to uninstall realplayer or realone player from their systems until this vunerability has been resolved.

My question to Real Player Unix support is when (if possible) will there be a patched version of RealOne Player for Linux and/or RealPlayer 8 for Linux released that addresses the vunerability[1] ?

We will be willing to provide any information and or help that would allow the speedy solution to this problem. 

Thank you very much for your time.

Best Regards,

Alastair Tse (liquidx@gentoo.org)

[1] http://service.real.com/help/faq/security/040123_player/EN/
[2] http://bugs.gentoo.org/show_bug.cgi?id=40469 
Search String: real_rec: RealOnePlayer2_0Buy OR RealOnePlayer1_0Buy OR RealOnePlayer1_0Try OR RealOneServices OR RealOnePlayerOSX OR RealOneMobile OR BillShipReturn OR Downloading OR Ordering OR Privacy OR SerialUpgradeSubscription OR RealNetworksCompany OR RealNetworksWebsite: Linux Security Update

[X] None of the above


THE INFORMATION PROVIDED IN THE REALNETWORKS KNOWLEDGE BASE IS PROVIDED 'AS IS' WITHOUT WARRANTY OF ANY KIND. REALNETWORKS DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL REALNETWORKS OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF REALNETWORKS OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.


Copyright c RealNetworks Inc. and/or its licensors, 1995 - 1999 all rights reserved. RealAudio, RealVideo, RealMedia and RealPlayer are trademarks of RealNetworks Inc.


---------------------
Instructions to Reply 
---------------------


Your Incident ID number for this request is 53514156

To reply to this message you may simply reply to this email.  (Please do not modify the subject line)

Comment 16 Stefan Briesenick (RETIRED) gentoo-dev 2004-02-15 05:23:19 UTC
Grrrrr! That is absolutely bullshit! grrrr!

I don't like the realplayer at all, but their codecs are unfortunately needed for so many websites.

If real doesn't react quickly, we need an alternative. Maybe Mplayer with hacked real-codecs? Or Mplayer with already patched windows-dll's? Ok, last one doesn't help non x86 users... :-(
Comment 17 solar (RETIRED) gentoo-dev 2004-02-15 10:08:10 UTC
reverse engineering codecs and dll's is not our job and may even not be 
permitted by license or law. Your more than welcome to start a new
opensource project for such a task, but it's quite simply beyond the
scope of the distribution.
Comment 18 hodak 2004-02-15 13:42:02 UTC
Mplayer can already decode RealAudio/RealVideo formats. No need to hack anything. There is also mplayer-plugin for browsing internet.
Comment 19 Carsten Lohrke (RETIRED) gentoo-dev 2004-02-29 15:03:57 UTC
Was this vulnerability announced? There's no issue in forums.g.o/News & Announcements.
Comment 20 solar (RETIRED) gentoo-dev 2004-03-17 19:16:21 UTC
No GLSA sent out.
Comment 21 Seemant Kulleen (RETIRED) gentoo-dev 2004-03-19 16:28:06 UTC
Well, I talked with Rob Lamphier on the telephone just a few minutes ago to ask him on the progress of this issue.  I hope we'll hear from Real soon about possible fixes.
Comment 22 Rob Lanphier 2004-03-19 17:48:10 UTC
Hi all - the vulnerability announcement you are referring to was specific to Windows platforms.  That said, I don't yet know the answer to the specific question of whether or not RealPlayer 8 for Linux or the RealOne Player alpha for Linux are vulnerable.  I started that ball rolling, but it'll take a bit to figure it out.

In the meantime, we know for certain that the Helix Player for Linux (https://player.helixcommunity.org) is not vulnerable.  We also know that mplayer + our DLLs to play back RealAudio and RealVideo constitutes a violation of our license agreement, so I recommend against considering that a "solution" for playing back RealAudio and RealVideo.
Comment 23 Carsten Lohrke (RETIRED) gentoo-dev 2004-03-20 02:11:25 UTC
>Hi all - the vulnerability announcement you are referring to was specific to Windows platforms. That said, I don't yet know the answer to the specific question of whether or not RealPlayer 8 for Linux or the RealOne Player alpha for Linux are vulnerable.

First, thanks for clearing this up - more or less. Exactly this sort of statements (the unclear announcement and your "hm, don't know for sure" comment) is one of the reasons, why I don't feel good using closed source software.
Comment 24 Rob Lanphier 2004-03-23 15:18:45 UTC
Hi folks -- sorry this is taking so long.  We're in an awkward transitional time between our old player (RealPlayer 8) and the new player (Helix Player).  The problem slipped through the cracks as a result of that.  We'll keep folks posted...please bug me in a couple of days if you don't hear another update.
Comment 25 Vikram Dendi 2004-03-29 00:59:23 UTC
Hello folks.. The first two vulnerabilities are not applicable to RP8 for linux. The third one we are in the process of figuring out the extent to which it affects RP8(It doesn't affect the new community developed HelixPlayer that RobLa mentioned earlier) and the appropriate fix.
The HelixPlayer will soon replace RP8.
I will update here as things get figured out.
thanks for your patience!
Vikram Dendi
(Program Manager for Helix Player)
Comment 26 theboywho 2004-03-31 04:12:22 UTC
Would it be possible to provide an ebuild for one of the nightly or milestone builds from https://player.helixcommunity.org?

Perhaps at least as an option for those who need to view Real audio/video streams but don't want to be exposed to the vulnerabilities recently found?
Comment 27 Donnie Berkholz (RETIRED) gentoo-dev 2004-03-31 07:08:43 UTC
CC yourself on bug #37372.
Comment 28 Thierry Carrez (RETIRED) gentoo-dev 2004-04-23 08:14:45 UTC
Just sent an email to Vikram to get a status update.
-K
Comment 29 Thierry Carrez (RETIRED) gentoo-dev 2004-04-24 02:08:37 UTC
Received an quick answer from Vikram :
<< RP8 for Linux is fixed and all that's left is some QA and then updating the bits on the website. I will let you know when that's done. >>
Comment 30 Thierry Carrez (RETIRED) gentoo-dev 2004-05-31 03:27:26 UTC
Just sent an email to Vikram for a status update.
Comment 31 Seemant Kulleen (RETIRED) gentoo-dev 2004-05-31 08:37:35 UTC
actually, um, I forgot to mention -- I've got access to a beta for the new version, that I'm testing.  I'll release the ebuild as soon as Real.com gives me the go-ahead.

Thanks
Comment 32 Vikram Dendi 2004-06-02 21:35:07 UTC
Vikram here. The RP8 build for Linux has been updated.
http://forms.real.com/real/player/unix/unix.html
Koon/Seemant feel free to download/use it if you are satisfied in your testing. RealPlayer10 alpha has also been released (in case you didn't know) with a superset functionality over RP8. So far we have heard that it has been very usable for most folks. 
https://player.helixcommunity.org/2004/downloads/

Also the nightly builds of the helix player for ppc linux should be live today here:
http://forms.helixcommunity.org/helixdnaclient/

Now if only I had a faster box for my gentoo installation :)
Comment 33 Thomas R. (TRauMa) 2004-06-03 08:35:04 UTC
Now I'm completely confused. I tried to hunt down the helix versions the ebuilds in portage want, but wasn't succesful. The odd version numbering, the confusing page and the need to register (sometimes) doesn't help, either.

Then I grabbed what seems to be realplayer 10 alpha (realplay-0.3.0.120-linux-2.2-libc6-gcc32-i586.tar.bz2) and played around with it, with getting either errors

"General error: HXR_SE_INVALID_VERSION (0x80041902) (Server has reached its capacity and can serve no more streams. Please try again later.

rtsp://cm2.zdv.uni-tuebingen.de/UT_2004/05/26/UT_20040526_001_hoerschaeden_0001.rm320.rm&start=00:00.0)"

or crashes.

Playback of local files seems fine, though. :-/
Comment 34 Thierry Carrez (RETIRED) gentoo-dev 2004-06-07 13:33:07 UTC
Waiting for a http://forms.real.com/real/player/unix/unix.html update that leads to the new build.
Comment 35 bugs 2004-06-24 16:45:53 UTC
I don't know if a helix-based Realplayer 10 is the solution, but right now, Gentoo has no player that can play realvideo format reliably.  Current helix isn't allowed to play it, and Mplayer's implementation routinely scrambles video loses video/audio sync or and locks up mplayer (inconvenient in fullscreen mode).

On my own machine, removing the mask, any news on other fronts?  Is the mask actually based on a real exploit?

Comment 36 Thierry Carrez (RETIRED) gentoo-dev 2004-06-25 10:51:30 UTC
The mask is based upon an unsolved vulnerability, not an exploit being seen in the wild. You can unmask the ebuild and do with it, it's still in Portage. You can also run other Real.com installers outside the portage system.
Comment 37 Alastair Tse (RETIRED) gentoo-dev 2004-07-01 12:05:57 UTC
not sure if the realplayer 10 (helixplayer + closed-source codecs) is a viable alternative here. comments?
Comment 38 Thomas R. (TRauMa) 2004-07-01 13:40:09 UTC
Well, I could say something on the quality of helix player, if I'd get it to play any movie at all. It doesn't like all kinds of streaming servers I tried, it  plays sound from hard disk without picture, it plays movie from disk without sound, ten seconds later it crashes... Perhaps someone else here is more successful, and I readily admit that it could be my fault.

Oh, and one question: do the other apps using the real codecs know where to find them if you install them with real10? Seems like they don't.
Comment 39 Paul Varner (RETIRED) gentoo-dev 2004-07-01 16:51:49 UTC
As the person who submitted the ebuild for Real Player 10, I would definitely state that it isn't quite ready for prime time.  It probably covers about 85% of the stuff that I want it to do which is better than what I had before.  The biggest issue that I have had is that it will not play any of the clips at amazon.com because they are using an "obsolete" codec that isn't shipped with Realplayer 10.  I've added my comments to their bug about the codec, but it doesn't appear that they will add it to the codecs that are shipped with this version of Real Player.  Other than that I haven't really had any problems with it.  However, I'm not a heavy media user, and I'm sure that how well it works is dependent upon the sites and media that various users are trying to access. 
Comment 40 Thierry Carrez (RETIRED) gentoo-dev 2004-08-05 02:00:22 UTC
RealPlayer 10 for Linux and Helix Player 1.0 Final released :
https://helixcommunity.org/forum/forum.php?forum_id=145
Comment 41 Lars Wendler (Polynomial-C) gentoo-dev 2004-09-29 06:14:52 UTC
Hi,

I just found this on real hp:

http://www.service.real.com/help/faq/security/040928_player/EN/

they released security-fix updates of realplayer-10 and helixplayer

Poly
Comment 42 Carsten Lohrke (RETIRED) gentoo-dev 2004-09-29 12:57:47 UTC
Lars, this is a different bug. Realplayer 10 and Helixplayer don't even support all closed source Realplayer 8/9/One codecs afaik and the latter ones are not affected by this bug (at least under Linux). I think you should open a new bug report, if no one did already. The status of this bug report is clear, so it'll get low attention.
Comment 43 Thierry Carrez (RETIRED) gentoo-dev 2005-01-25 02:59:41 UTC
*** Bug 79347 has been marked as a duplicate of this bug. ***
Comment 44 Thierry Carrez (RETIRED) gentoo-dev 2005-01-25 03:00:06 UTC
*** Bug 79345 has been marked as a duplicate of this bug. ***
Comment 45 Thierry Carrez (RETIRED) gentoo-dev 2005-01-25 03:01:07 UTC
Please note that new integer overflows hit 8.1, 8.2, 9.0, 9.1, bug 79345 has details.
Comment 46 Brett I. Holcomb 2005-01-27 19:43:49 UTC
What is the status of this?  

1.  Is realplayer 10 available - I keep getting a "it's masked" but the -10 ebuild only has ~x86 in it.  I put ~x86 in /etc/portage/package.keywords and it still won't install.  package.mask talks about RP8 problems - so what it the status of 10?

2.  Does 10 play the RP8 codes?

3.  Is mplayer - as mentioned below a good alternative/

I'm confused <G>>
Comment 47 Thierry Carrez (RETIRED) gentoo-dev 2005-01-28 01:04:33 UTC
It's masked because it's listed in the package.mask file :

# RealOne/RealPlayer 8 vulnerabilities bug #40469
media-video/realplayer
media-video/realone

You have to use package.unmask (man portage) to unlock this.

Chris: Apparently you committed the latest realplayer10 recently... If it takes care of all the security issues (including applying the patches from http://www.service.real.com/help/faq/security/040928_player/EN/) then probably you could change the mask to <=media-video/realplayer-10 or something.
Comment 48 Chris White (RETIRED) gentoo-dev 2005-03-12 22:23:56 UTC
Real player 10.0.3 has been stable tested, and I will commit this as the secure realplayer to be used.  Will wait for the go ahead from solar before removing the package mask.  Please note that for the same security reasons, realplayer bundled codecs will be used instead of mplayer's codecs from their site.
Comment 49 Chris White (RETIRED) gentoo-dev 2005-03-13 19:41:47 UTC
Realplayer commited.  Package.mask adjusted for anything less than 10.0.3.
Comment 50 Chris White (RETIRED) gentoo-dev 2005-03-28 20:31:17 UTC
*bump?*
Comment 51 solar (RETIRED) gentoo-dev 2005-04-10 10:46:44 UTC
I do not see any reason why we shouldn't close this bug