
             __________________________________________________________

                       The U.S. Department of Energy
                   Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

                     RealPlayer & HelixPlayer Security Update
                  [Red Hat RHSA-2005:788-3 & RHSA-2005:762-12]

September 27, 2005 17:00 GMT                                      Number P-314
[REVISED 30 Sep 2005]
[REVISED 03 Oct 2005]
______________________________________________________________________________
PROBLEM:       There is a format string bug was discovered in the way RealPlayer
               and HelixPlayer process RealPix (.rp) files. 
SOFTWARE:      Linux RealPlayer 10 (10.0.0-5)
               Helix Player (10.0.0 - 5)
PLATFORM:      Red Hat Desktop (v. 4) 
               Red Hat Enterprise Linux AS, ES, WS (v. 3) & (v. 4)
			   Red Hat Enterprise Linux Extras (v. 3 ) & (v. 4) 
			   Debian GNU/Linux 3.1 alias sarge
DAMAGE:        It is possible for a malformed RealPix file to execute 
               arbitrary code as the user running RealPlayer and HelixPlayer. 
SOLUTION:      Upgrade to the appropriate version. 
______________________________________________________________________________
VULNERABILITY  The risk is MEDIUM. It is possible for a malformed RealPix file 
ASSESSMENT:    to execute arbitrary code as the user running RealPlayer and 
               HelixPlayer.  There are known exploits in the wild for this 
               vulnerability. 
______________________________________________________________________________
LINKS: 
 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/p-314.shtml 
 ORIGINAL BULLETINS: Red Hat RHSA-2005:788-3
                     https://rhn.redhat.com/errata/RHSA-2005-788.html 
					 Red Hat RHSA-2005:762-12
					 https://rhn.redhat.com/errata/RHSA-2005-762.html 
 ADDITIONAL LINKS:   Debian Security Advisory DSA-826-1
                     http://www.debian.org/security/2005/dsa-826
                     Real Networks Security Update 9/30/05
                     http://service.real.com/help/faq/security/050930_player/EN/
 CVE:                http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= 
                     CVE-2005-2710 
______________________________________________________________________________
REVISION HISTORY:
09/30/2005 - revised to add a link to Debian Security Advisory DSA-826-1 
                for Debian GNU/Linux 3.1 alias sarge.
10/03/2005 - revised to add a link to Real Networks Security Update Document 
             that provides links to patches for Linux platforms.
			 
			 
[***** Start Red Hat RHSA-2005:788-3 *****]

Critical: HelixPlayer security update
Advisory: RHSA-2005:788-3 
Type: Security Advisory 
Issued on: 2005-09-27 
Last updated on: 2005-09-27 
Affected Products: Red Hat Desktop (v. 4)
Red Hat Enterprise Linux AS (v. 4)
Red Hat Enterprise Linux ES (v. 4)
Red Hat Enterprise Linux WS (v. 4) 
CVEs (cve.mitre.org): CAN-2005-2710
 


Details
An updated HelixPlayer package that fixes a string format issue is now 
available. 

This update has been rated as having critical security impact by the Red 
Hat Security Response Team.

HelixPlayer is a media player. 

A format string bug was discovered in the way HelixPlayer processes RealPix 
(.rp) files. It is possible for a malformed RealPix file to execute 
arbitrary code as the user running HelixPlayer. The Common Vulnerabilities 
and Exposures project (cve.mitre.org) has assigned the name CAN-2005-2710 
to this issue. 

All users of HelixPlayer are advised to upgrade to this updated package, 
which contains HelixPlayer version 10.0.6 and is not vulnerable to this issue.



Solution
Before applying this update, make sure all previously released errata 
relevant to your system have been applied. 

This update is available via Red Hat Network. To use Red Hat Network, 
launch the Red Hat Update Agent with the following command: 

up2date 

This will start an interactive process that will result in the appropriate 
RPMs being upgraded on your system.


Updated packages
Red Hat Desktop (v. 4) 

--------------------------------------------------------------------------------
 
SRPMS: 
HelixPlayer-1.0.6-0.EL4.1.src.rpm     77bcadb90099c21c579ad8f51d4c7292 
  
IA-32: 
HelixPlayer-1.0.6-0.EL4.1.i386.rpm     40ff8c8ac5f9acc8019db7bd91a1f819 
  
x86_64: 
HelixPlayer-1.0.6-0.EL4.1.i386.rpm     40ff8c8ac5f9acc8019db7bd91a1f819 
  
Red Hat Enterprise Linux AS (v. 4) 

--------------------------------------------------------------------------------
 
SRPMS: 
HelixPlayer-1.0.6-0.EL4.1.src.rpm     77bcadb90099c21c579ad8f51d4c7292 
  
IA-32: 
HelixPlayer-1.0.6-0.EL4.1.i386.rpm     40ff8c8ac5f9acc8019db7bd91a1f819 
  
PPC: 
HelixPlayer-1.0.6-0.EL4.1.ppc.rpm     1604bc8fa9eb7d6ef1733d3b047b8cc9 
  
x86_64: 
HelixPlayer-1.0.6-0.EL4.1.i386.rpm     40ff8c8ac5f9acc8019db7bd91a1f819 
  
Red Hat Enterprise Linux ES (v. 4) 

--------------------------------------------------------------------------------
 
SRPMS: 
HelixPlayer-1.0.6-0.EL4.1.src.rpm     77bcadb90099c21c579ad8f51d4c7292 
  
IA-32: 
HelixPlayer-1.0.6-0.EL4.1.i386.rpm     40ff8c8ac5f9acc8019db7bd91a1f819 
  
x86_64: 
HelixPlayer-1.0.6-0.EL4.1.i386.rpm     40ff8c8ac5f9acc8019db7bd91a1f819 
  
Red Hat Enterprise Linux WS (v. 4) 

--------------------------------------------------------------------------------
 
SRPMS: 
HelixPlayer-1.0.6-0.EL4.1.src.rpm     77bcadb90099c21c579ad8f51d4c7292 
  
IA-32: 
HelixPlayer-1.0.6-0.EL4.1.i386.rpm     40ff8c8ac5f9acc8019db7bd91a1f819 
  
x86_64: 
HelixPlayer-1.0.6-0.EL4.1.i386.rpm     40ff8c8ac5f9acc8019db7bd91a1f819 
  
(The unlinked packages above are only available from the Red Hat Network)
 


Bugs fixed (see bugzilla for more information)
168078 - CAN-2005-2710 HelixPlayer Format String Flaw



References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2710



--------------------------------------------------------------------------------
These packages are GPG signed by Red Hat for security. Our key and details on how 
to verify the signature are available from:
https://www.redhat.com/security/team/key/#package 

The Red Hat security contact is secalert@redhat.com. More contact details at 
http://www.redhat.com/security/team/contact/


[***** End Red Hat RHSA-2005:788-3 *****]
_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of Red Hat for the 
information contained in this bulletin.
_______________________________________________________________________________


CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

P-304: XFree86 Security Update
P-305: Sun JAR File Contents Disclosure
P-306: Apple Java Security Updates
P-307: TWiki History Function Vulnerability
P-308: 'kcheckpass' Vulnerability
P-309: VERITAS Storage Exec DCOM Server Buffer Overflows
P-310: Firefox Security Update
P-311: Mozilla Security Update
P-312: Apple Security Update 2005-008
P-313: Courier