SUSE Security Announcement: RealPlayer buffer overflow in RAM file handling (SUSE-SA:2005:026)
-----BEGIN PGP SIGNED MESSAGE-----
______________________________________________________________________________
SUSE Security Announcement
Package: RealPlayer
Announcement-ID: SUSE-SA:2005:026
Date: Wed, 20 Apr 2005 09:00:00 +0000
Affected products: 9.2, 9.3
Novell Linux Desktop 9
Vulnerability Type: remote code execution
Severity (1-10): 8
SUSE default package: yes
Cross References:
Content of this advisory:
1) security vulnerability resolved:
buffer overflow in RAM file handling
problem description
2) solution/workaround
3) special instructions and notes
4) package location and checksums
5) pending vulnerabilities, solutions, workarounds:
See SUSE Security Summary Report.
6) standard appendix (further information)
______________________________________________________________________________
1) problem description, brief discussion
This update fixes a security issue within the RealPlayer media player.
A remote attacker could craft a special .RAM (Real Audio Media) file
which would cause a buffer overflow when played within RealPlayer.
This is the Real Player Update as referenced on this page:
http://service.real.com/help/faq/security/050419_player/EN/
2) solution/workaround
None, please install the updated packages.
3) special instructions and notes
Restart RealPlayer if running.
4) package location and checksums
Please download the update package for your distribution and verify its
integrity by the methods listed in section 3) of this announcement.
Then, install the package using the command "rpm -Fhv file.rpm" to apply
the update.
Our maintenance customers are being notified individually. The packages
are being offered to install from the maintenance web.
x86 Platform:
SUSE Linux 9.3:
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/RealPlayer-10.0.4-1.1.i586.rpm
b6ca6d5c87690fca385981ccf272ddf1
SUSE Linux 9.2:
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/RealPlayer-10.0.4-1.1.i586.rpm
7e87cb712e6f07b9bdefe4f2ea79d6d0
______________________________________________________________________________
5) Pending vulnerabilities in SUSE Distributions and Workarounds:
See SUSE Security Summary Report.
______________________________________________________________________________
6) standard appendix: authenticity verification, additional information
- Package authenticity verification:
SUSE update packages are available on many mirror ftp servers all over
the world. While this service is being considered valuable and important
to the free and open source software community, many users wish to be
sure about the origin of the package and its content before installing
the package. There are two verification methods that can be used
independently from each other to prove the authenticity of a downloaded
file or rpm package:
1) md5sums as provided in the (cryptographically signed) announcement.
2) using the internal gpg signatures of the rpm package.
1) execute the command
md5sum
On Wed, Apr 20, 2005 at 09:31:37AM +0200, Marcus Meissner wrote:
-----BEGIN PGP SIGNED MESSAGE-----
______________________________________________________________________________
SUSE Security Announcement
Package: RealPlayer Announcement-ID: SUSE-SA:2005:026 Date: Wed, 20 Apr 2005 09:00:00 +0000 Affected products: 9.2, 9.3 Novell Linux Desktop 9
Vulnerability Type: remote code execution Severity (1-10): 8 SUSE default package: yes Cross References:
Content of this advisory: 1) security vulnerability resolved: buffer overflow in RAM file handling problem description 2) solution/workaround 3) special instructions and notes 4) package location and checksums 5) pending vulnerabilities, solutions, workarounds: See SUSE Security Summary Report. 6) standard appendix (further information)
______________________________________________________________________________
1) problem description, brief discussion
This update fixes a security issue within the RealPlayer media player.
A remote attacker could craft a special .RAM (Real Audio Media) file which would cause a buffer overflow when played within RealPlayer.
This is the Real Player Update as referenced on this page:
http://service.real.com/help/faq/security/050419_player/EN/
2) solution/workaround
None, please install the updated packages.
3) special instructions and notes
Restart RealPlayer if running.
4) package location and checksums
Please download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement. Then, install the package using the command "rpm -Fhv file.rpm" to apply the update. Our maintenance customers are being notified individually. The packages are being offered to install from the maintenance web.
x86 Platform:
SUSE Linux 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/RealPlayer-10.0.4-1.1.i586.rpm b6ca6d5c87690fca385981ccf272ddf1
SUSE Linux 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/RealPlayer-10.0.4-1.1.i586.rpm 7e87cb712e6f07b9bdefe4f2ea79d6d0
Whilst the above RPM (for SuSE 9.2) does appear at the URL referenced, it appears to be an older (than 20 April 2005) file: RealPlayer-10.0.4-1.1.i586.rpm 08-Apr-2005 16:52 5.1M In any event, YOU is not making a new Real Player update available (even though the above is present on the update server, and main mirrors) and indicates that the last Real Player update installed addressed the following issues: http://service.real.com/help/faq/security/050224_player/EN/ Which I think was the issue which this update addressed: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/RealPlayer-10.0.3-0.1.i586.rpm As per your advisory on Wed, 09 Mar 2005. Where exactly are the raw logs located which indicate which patches YOU has installed? Or is this latest Real Player update an update that needs to be applied manually, i.e. not using YOU? -- Anthony Edwards anthony.edwards@uk.easynet.net
Anthony Edwards wrote:
On Wed, Apr 20, 2005 at 09:31:37AM +0200, Marcus Meissner wrote: [...]
SUSE Linux 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/RealPlayer-10.0.4-1.1.i586.rpm 7e87cb712e6f07b9bdefe4f2ea79d6d0
Whilst the above RPM (for SuSE 9.2) does appear at the URL referenced, it appears to be an older (than 20 April 2005) file:
RealPlayer-10.0.4-1.1.i586.rpm 08-Apr-2005 16:52 5.1M
There is some time between building an rpm and releasing it. The build date is preserved.
In any event, YOU is not making a new Real Player update available (even though the above is present on the update server, and main mirrors) and indicates that the last Real Player update installed addressed the following issues:
Works for me. "rpm -q RealPlayer" should print RealPlayer-10.0.4-1.1 after the update.
Where exactly are the raw logs located which indicate which patches YOU has installed? Or is this latest Real Player update an update
/var/lib/YaST2/you/youlog
that needs to be applied manually, i.e. not using YOU?
YOU is supposed to do it. cu Ludwig -- (o_ Ludwig Nussel //\ SUSE LINUX Products GmbH, Development V_/_ http://www.suse.de/
On Wed, Apr 20, 2005 at 11:57:19AM +0200, Ludwig Nussel wrote:
Works for me. "rpm -q RealPlayer" should print RealPlayer-10.0.4-1.1 after the update.
anthony@catfish:~> rpm -q RealPlayer RealPlayer-10.0.3-0.1
Where exactly are the raw logs located which indicate which patches YOU has installed? Or is this latest Real Player update an update
/var/lib/YaST2/you/youlog
Thanks. According to this log, the last Real Player related update carried out by YOU was: ---- begin log file extract ---- 2005-03-09 16:27:16 (3048): Retrieving RealPlayer: "RealPlayer 10 for Linux" ... 2005-03-09 16:27:23 (3048): Ok 2005-03-09 16:27:23 (3048): Applying delta ... 2005-03-09 16:27:29 (3048): Ok 2005-03-09 16:27:29 (3048): Installing RealPlayer: "RealPlayer 10 for Linux" 2005-03-09 16:27:44 (3048): Ok 2005-03-09 16:27:44 (3048): Installation finished. 2005-03-09 16:27:44 (3048): 1 patch has been installed. ---- end log file extract ----
that needs to be applied manually, i.e. not using YOU?
YOU is supposed to do it.
It isn't doing so, which seems somewhat odd as I have always found YOU absolutely reliable in the past, from SuSE 7.3 onwards. Anything else I might try? -- Anthony Edwards anthony.edwards@uk.easynet.net
On Wed, Apr 20, 2005 at 11:24:28AM +0100, Anthony Edwards wrote:
YOU is supposed to do it.
It isn't doing so, which seems somewhat odd as I have always found YOU absolutely reliable in the past, from SuSE 7.3 onwards.
I have just run YOU again, and the update has now been installed. anthony@catfish:~> rpm -q RealPlayer RealPlayer-10.0.4-1.1 Most odd. -- Anthony Edwards anthony.edwards@uk.easynet.net
On Wed, Apr 20, 2005 at 11:29:43AM +0100, Anthony Edwards wrote:
On Wed, Apr 20, 2005 at 11:24:28AM +0100, Anthony Edwards wrote:
YOU is supposed to do it.
It isn't doing so, which seems somewhat odd as I have always found YOU absolutely reliable in the past, from SuSE 7.3 onwards.
I have just run YOU again, and the update has now been installed.
anthony@catfish:~> rpm -q RealPlayer RealPlayer-10.0.4-1.1
Most odd.
Perhaps your mirror was not up to date yet. There is some delay ... Ciao, Marcus
participants (3)
-
Anthony Edwards
-
Ludwig Nussel
-
Marcus Meissner