Bug 559995 (CVE-2009-0375, CVE-2009-0376, CVE-2009-4241, CVE-2009-4244, CVE-2009-4246)

Summary: HelixPlayer / RealPlayer: multiple security issues (01192010_player)
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: urgent Docs Contact:
Priority: urgent    
Version: unspecifiedCC: cmontgom, kreilly
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-02-09 09:09:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 559997, 559998, 561309, 561338, 561361, 561388, 561436, 561441, 561856, 561860    
Bug Blocks:    

Description Tomas Hoger 2010-01-29 15:34:34 UTC 
RealNetworks has published a security advisory mentioning 11 security issues affecting various RealPlayer / HelixPlayer versions:

  http://service.real.com/realplayer/security/01192010_player/en/

Upstream advisory does not specify which issues should be applicable to HelixPlayer 1.0.x versions (Affected? By various).

Some of the issues are covered by 3rd party advisories (e.g. ZDI) listed below.

Vulnerability 1:
The identified vulnerability is a RealPlayer ASM Rulebook heap-based buffer overflow: CVE-2009-4241
http://www.zerodayinitiative.com/advisories/ZDI-10-005/

Vulnerability 2:
The identified vulnerability is a RealPlayer GIF file Heap Overflow: CVE-2009-4242
http://www.zerodayinitiative.com/advisories/ZDI-10-006/

Vulnerability 3:
The identified vulnerability is a RealPlayer media Overflow (http chunk encoding): CVE-2009-4243

Vulnerability 4:
The identified vulnerability is a RealPlayer IVR file processing buffer overflow: CVE-2009-0375

Vulnerability 5:
The identified vulnerability is a RealPlayer IVR file Heap overflow: CVE-2009-0376
http://www.zerodayinitiative.com/advisories/ZDI-10-009/

http://www.fortiguard.com/advisory/FGA-2009-04.html (0375, 0376)

Vulnerability 6:
The identified vulnerability is a RealPlayer SIPR Codec Heap Overflow: CVE-2009-4244
http://www.zerodayinitiative.com/advisories/ZDI-10-008/

Vulnerability 7:
The identified vulnerability is a RealPlayer compressed GIF Heap Overflow: CVE-2009-4245

Vulnerability 8:
The identified vulnerability is a RealPlayer SMIL Parsing Heap Overflow Vulnerability: CVE-2009-4257
http://www.zerodayinitiative.com/advisories/ZDI-10-007/

Vulnerability 9:
The identified vulnerability is a RealPlayer Skin Parsing Stack Overflow Vulnerability: CVE-2009-4246
http://www.zerodayinitiative.com/advisories/ZDI-10-010/

Vulnerability 10:
The identified vulnerability is a RealPlayer ASM RuleBook Array Overflow: CVE-2009-4247

Vulnerability 11:
The identified vulnerability is a RealPlayer rtsp set_parameter buffer overflow: CVE-2009-4248
Comment 1 Tomas Hoger 2010-01-29 15:39:44 UTC 
Some of the issues affect proprietary codes / file formats that are only supported by RealPlayer or RealPlayer on certain platforms (IVR CVE-2009-0375, CVE-2009-0376; SIPR CVE-2009-4244).

Linux versions of RealPlayer and Helix Player don't seem to support skins (CVE-2009-4246)
Comment 3 Tomas Hoger 2010-02-03 11:06:46 UTC 
RealNetworks confirmed that vulnerabilities 4, 5, 6 and 9 (listed in comment #1) did not affect HelixPlayer 1.x.

RealNetworks also confirmed that vulnerability 1 did not affect HelixPlayer 1.x.  According to ZDI, the flaw existed in the code responsible for parsing ASMRuleBook structures in the Real Media (RM) format files.  Codec for RM format is not included with HelixPlayer.
Comment 4 Tomas Hoger 2010-02-04 14:53:14 UTC 
Remaining vulnerabilities 2, 3, 7, 8, 10, and 11 are tracked via separate bugs:

bug #561436 - GIF file heap overflow
bug #561388 - HTTP chunk encoding overflow
bug #561441 - compressed GIF heap overflow
bug #561309 - SMIL getAtom heap buffer overflow
bug #561338 - RTSP client ASM RuleBook stack buffer overflow
bug #561361 - RTSP SET_PARAMETER buffer overflow

While collecting patches for those issues, two additional older security fixes were spotted in the upstream CVS:

bug #561856 - URL unescape buffer overflow
bug #561860 - rule book handling heap corruption
Comment 5 Tomas Hoger 2010-02-09 09:09:19 UTC 
Closing this one, all relevant issues are tracked via separate bugs.