Bug 559995 - (CVE-2009-0375, CVE-2009-0376, CVE-2009-4241, CVE-2009-4244, CVE-2009-4246) HelixPlayer / RealPlayer: multiple security issues (01192010_player)
HelixPlayer / RealPlayer: multiple security issues (01192010_player)
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
urgent Severity urgent
: ---
: ---
Assigned To: Red Hat Product Security
impact=critical,source=internet,repor...
: Security
Depends On: 559997 559998 CVE-2009-4257 CVE-2009-4247 CVE-2009-4248 CVE-2009-4243 CVE-2009-4242 CVE-2009-4245 CVE-2010-0416 CVE-2010-0417
Blocks:
  Show dependency treegraph
 
Reported: 2010-01-29 10:34 EST by Tomas Hoger
Modified: 2010-02-09 04:09 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-02-09 04:09:19 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tomas Hoger 2010-01-29 10:34:34 EST
RealNetworks has published a security advisory mentioning 11 security issues affecting various RealPlayer / HelixPlayer versions:

  http://service.real.com/realplayer/security/01192010_player/en/

Upstream advisory does not specify which issues should be applicable to HelixPlayer 1.0.x versions (Affected? By various).

Some of the issues are covered by 3rd party advisories (e.g. ZDI) listed below.

Vulnerability 1:
The identified vulnerability is a RealPlayer ASM Rulebook heap-based buffer overflow: CVE-2009-4241
http://www.zerodayinitiative.com/advisories/ZDI-10-005/

Vulnerability 2:
The identified vulnerability is a RealPlayer GIF file Heap Overflow: CVE-2009-4242
http://www.zerodayinitiative.com/advisories/ZDI-10-006/

Vulnerability 3:
The identified vulnerability is a RealPlayer media Overflow (http chunk encoding): CVE-2009-4243

Vulnerability 4:
The identified vulnerability is a RealPlayer IVR file processing buffer overflow: CVE-2009-0375

Vulnerability 5:
The identified vulnerability is a RealPlayer IVR file Heap overflow: CVE-2009-0376
http://www.zerodayinitiative.com/advisories/ZDI-10-009/

http://www.fortiguard.com/advisory/FGA-2009-04.html (0375, 0376)

Vulnerability 6:
The identified vulnerability is a RealPlayer SIPR Codec Heap Overflow: CVE-2009-4244
http://www.zerodayinitiative.com/advisories/ZDI-10-008/

Vulnerability 7:
The identified vulnerability is a RealPlayer compressed GIF Heap Overflow: CVE-2009-4245

Vulnerability 8:
The identified vulnerability is a RealPlayer SMIL Parsing Heap Overflow Vulnerability: CVE-2009-4257
http://www.zerodayinitiative.com/advisories/ZDI-10-007/

Vulnerability 9:
The identified vulnerability is a RealPlayer Skin Parsing Stack Overflow Vulnerability: CVE-2009-4246
http://www.zerodayinitiative.com/advisories/ZDI-10-010/

Vulnerability 10:
The identified vulnerability is a RealPlayer ASM RuleBook Array Overflow: CVE-2009-4247

Vulnerability 11:
The identified vulnerability is a RealPlayer rtsp set_parameter buffer overflow: CVE-2009-4248
Comment 1 Tomas Hoger 2010-01-29 10:39:44 EST
Some of the issues affect proprietary codes / file formats that are only supported by RealPlayer or RealPlayer on certain platforms (IVR CVE-2009-0375, CVE-2009-0376; SIPR CVE-2009-4244).

Linux versions of RealPlayer and Helix Player don't seem to support skins (CVE-2009-4246)
Comment 3 Tomas Hoger 2010-02-03 06:06:46 EST
RealNetworks confirmed that vulnerabilities 4, 5, 6 and 9 (listed in comment #1) did not affect HelixPlayer 1.x.

RealNetworks also confirmed that vulnerability 1 did not affect HelixPlayer 1.x.  According to ZDI, the flaw existed in the code responsible for parsing ASMRuleBook structures in the Real Media (RM) format files.  Codec for RM format is not included with HelixPlayer.
Comment 4 Tomas Hoger 2010-02-04 09:53:14 EST
Remaining vulnerabilities 2, 3, 7, 8, 10, and 11 are tracked via separate bugs:

bug #561436 - GIF file heap overflow
bug #561388 - HTTP chunk encoding overflow
bug #561441 - compressed GIF heap overflow
bug #561309 - SMIL getAtom heap buffer overflow
bug #561338 - RTSP client ASM RuleBook stack buffer overflow
bug #561361 - RTSP SET_PARAMETER buffer overflow

While collecting patches for those issues, two additional older security fixes were spotted in the upstream CVS:

bug #561856 - URL unescape buffer overflow
bug #561860 - rule book handling heap corruption
Comment 5 Tomas Hoger 2010-02-09 04:09:19 EST
Closing this one, all relevant issues are tracked via separate bugs.

Note You need to log in before you can comment on or make changes to this bug.