On Wed, Apr 20, 2005 at 09:31:37AM +0200, Marcus Meissner wrote:
-----BEGIN PGP SIGNED MESSAGE-----
SUSE Security Announcement Package: RealPlayer Announcement-ID: SUSE-SA:2005:026 Date: Wed, 20 Apr 2005 09:00:00 +0000 Affected products: 9.2, 9.3 Novell Linux Desktop 9 Vulnerability Type: remote code execution Severity (1-10): 8 SUSE default package: yes Cross References: Content of this advisory: 1) security vulnerability resolved: buffer overflow in RAM file handling problem description 2) solution/workaround 3) special instructions and notes 4) package location and checksums 5) pending vulnerabilities, solutions, workarounds: See SUSE Security Summary Report. 6) standard appendix (further information)
problem description, brief discussion
This update fixes a security issue within the RealPlayer media player.
A remote attacker could craft a special .RAM (Real Audio Media) file which would cause a buffer overflow when played within RealPlayer.
This is the Real Player Update as referenced on this page:
solution/workaround
None, please install the updated packages.
special instructions and notes
Restart RealPlayer if running.
package location and checksums
Please download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement. Then, install the package using the command "rpm -Fhv file.rpm" to apply the update. Our maintenance customers are being notified individually. The packages are being offered to install from the maintenance web.
x86 Platform:
SUSE Linux 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/RealPlayer-10.0.4-1.1.i586.rpm b6ca6d5c87690fca385981ccf272ddf1
SUSE Linux 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/RealPlayer-10.0.4-1.1.i586.rpm 7e87cb712e6f07b9bdefe4f2ea79d6d0
Whilst the above RPM (for SuSE 9.2) does appear at the URL referenced, it appears to be an older (than 20 April 2005) file: RealPlayer-10.0.4-1.1.i586.rpm 08-Apr-2005 16:52 5.1M In any event, YOU is not making a new Real Player update available (even though the above is present on the update server, and main mirrors) and indicates that the last Real Player update installed addressed the following issues: http://service.real.com/help/faq/security/050224_player/EN/ Which I think was the issue which this update addressed: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/RealPlayer-10.0.3-0.1.i586.rpm As per your advisory on Wed, 09 Mar 2005. Where exactly are the raw logs located which indicate which patches YOU has installed? Or is this latest Real Player update an update that needs to be applied manually, i.e. not using YOU? -- Anthony Edwards anthony.edwards@uk.easynet.net