Bug 559995 (CVE-2009-0375, CVE-2009-0376, CVE-2009-4241, CVE-2009-4244, CVE-2009-4246) - HelixPlayer / RealPlayer: multiple security issues (01192010_player)
Summary: HelixPlayer / RealPlayer: multiple security issues (01192010_player)
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2009-0375, CVE-2009-0376, CVE-2009-4241, CVE-2009-4244, CVE-2009-4246
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 559997 559998 CVE-2009-4257 CVE-2009-4247 CVE-2009-4248 CVE-2009-4243 CVE-2009-4242 CVE-2009-4245 CVE-2010-0416 CVE-2010-0417
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-01-29 15:34 UTC by Tomas Hoger
Modified: 2019-09-29 12:34 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-02-09 09:09:19 UTC


Attachments (Terms of Use)

Description Tomas Hoger 2010-01-29 15:34:34 UTC
RealNetworks has published a security advisory mentioning 11 security issues affecting various RealPlayer / HelixPlayer versions:

  http://service.real.com/realplayer/security/01192010_player/en/

Upstream advisory does not specify which issues should be applicable to HelixPlayer 1.0.x versions (Affected? By various).

Some of the issues are covered by 3rd party advisories (e.g. ZDI) listed below.

Vulnerability 1:
The identified vulnerability is a RealPlayer ASM Rulebook heap-based buffer overflow: CVE-2009-4241
http://www.zerodayinitiative.com/advisories/ZDI-10-005/

Vulnerability 2:
The identified vulnerability is a RealPlayer GIF file Heap Overflow: CVE-2009-4242
http://www.zerodayinitiative.com/advisories/ZDI-10-006/

Vulnerability 3:
The identified vulnerability is a RealPlayer media Overflow (http chunk encoding): CVE-2009-4243

Vulnerability 4:
The identified vulnerability is a RealPlayer IVR file processing buffer overflow: CVE-2009-0375

Vulnerability 5:
The identified vulnerability is a RealPlayer IVR file Heap overflow: CVE-2009-0376
http://www.zerodayinitiative.com/advisories/ZDI-10-009/

http://www.fortiguard.com/advisory/FGA-2009-04.html (0375, 0376)

Vulnerability 6:
The identified vulnerability is a RealPlayer SIPR Codec Heap Overflow: CVE-2009-4244
http://www.zerodayinitiative.com/advisories/ZDI-10-008/

Vulnerability 7:
The identified vulnerability is a RealPlayer compressed GIF Heap Overflow: CVE-2009-4245

Vulnerability 8:
The identified vulnerability is a RealPlayer SMIL Parsing Heap Overflow Vulnerability: CVE-2009-4257
http://www.zerodayinitiative.com/advisories/ZDI-10-007/

Vulnerability 9:
The identified vulnerability is a RealPlayer Skin Parsing Stack Overflow Vulnerability: CVE-2009-4246
http://www.zerodayinitiative.com/advisories/ZDI-10-010/

Vulnerability 10:
The identified vulnerability is a RealPlayer ASM RuleBook Array Overflow: CVE-2009-4247

Vulnerability 11:
The identified vulnerability is a RealPlayer rtsp set_parameter buffer overflow: CVE-2009-4248

Comment 1 Tomas Hoger 2010-01-29 15:39:44 UTC
Some of the issues affect proprietary codes / file formats that are only supported by RealPlayer or RealPlayer on certain platforms (IVR CVE-2009-0375, CVE-2009-0376; SIPR CVE-2009-4244).

Linux versions of RealPlayer and Helix Player don't seem to support skins (CVE-2009-4246)

Comment 3 Tomas Hoger 2010-02-03 11:06:46 UTC
RealNetworks confirmed that vulnerabilities 4, 5, 6 and 9 (listed in comment #1) did not affect HelixPlayer 1.x.

RealNetworks also confirmed that vulnerability 1 did not affect HelixPlayer 1.x.  According to ZDI, the flaw existed in the code responsible for parsing ASMRuleBook structures in the Real Media (RM) format files.  Codec for RM format is not included with HelixPlayer.

Comment 4 Tomas Hoger 2010-02-04 14:53:14 UTC
Remaining vulnerabilities 2, 3, 7, 8, 10, and 11 are tracked via separate bugs:

bug #561436 - GIF file heap overflow
bug #561388 - HTTP chunk encoding overflow
bug #561441 - compressed GIF heap overflow
bug #561309 - SMIL getAtom heap buffer overflow
bug #561338 - RTSP client ASM RuleBook stack buffer overflow
bug #561361 - RTSP SET_PARAMETER buffer overflow

While collecting patches for those issues, two additional older security fixes were spotted in the upstream CVS:

bug #561856 - URL unescape buffer overflow
bug #561860 - rule book handling heap corruption

Comment 5 Tomas Hoger 2010-02-09 09:09:19 UTC
Closing this one, all relevant issues are tracked via separate bugs.


Note You need to log in before you can comment on or make changes to this bug.