realplayer security vulnerability

To: debian-user@lists.debian.org
Subject: realplayer security vulnerability
From: Brian Russo <brian@entropy.net>
Date: Thu, 7 Feb 2002 09:15:36 -0500
Message-id: <[🔎] 20020207141536.GH86119@sibum.pair.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


SUMMARY
- -------

There is (apparently) a security vulnerability in realplayer.
Little detail is given by Real, presumably this is exploitable 
remotely by an unscrupulous stream operator.

The file to upgrade is /usr/lib/RealPlayer8/Plugins/rmffplin.so.6.0

Real has documented this on their site here:
http://www.service.real.com/help/faq/security/bufferoverrun.html

The new .so is available here:
http://docs.real.com/docs/playerpatch/RP8_gold/rmffplin.so.6.0-linux-2.2-libc6-i386.gz



DEBIAN-SPECIFIC
- ---------------

Because the 'realplayer' package does not actually contain anything
substantial in it, rather it is an installer package -- frankly
there's no entirely satisfactory solution.

This is mainly due to their licensing, In correspondence, they
have always indicated to me that they do not wish 3rd parties
redistributing their software. I can only assume this applies
to this security fix. Their legalese license seems to indicate as much.
(/usr/share/doc/realplayer/LICENSE).

Therefore, I cannot simply uuencode the new .so into the .deb,
and install it in the postinst, or something similar.

Complain to Real about this, there's not much I can do about it.

Fortunately the fix is trivial.



INSTRUCTIONS
- ------------

To check if your current realplayer installation is vulnerable
to this bug, check your current version of rmffplin.so.6.0
with md5sum.

My old (vulnerable) version was.. (Yours may vary)
127bddd48a06673ec98a945b9c206a9e /usr/lib/RealPlayer8/Plugins/rmffplin.so.6.0

The new (fixed) version is..
201de7b7acbc467846fc9cd11ff90266  /usr/lib/RealPlayer8/Plugins/rmffplin.so.6.0

You may download the new .so from realplayer's site here (for libc 2.2)..
http://docs.real.com/docs/playerpatch/RP8_gold/rmffplin.so.6.0-linux-2.2-libc6-i386.gz

e.g.
Assuming you downloaded and gunzip'd the new .so to your home (~)..
(exit realplayer if running)
(become root)
# rm -f /usr/lib/RealPlayer8/Plugins/rmffplin.so.6.0
# cp ~/rmffplin.so.6.0-linux-2.2-libc6-i386 /usr/lib/RealPlayer8/Plugins/rmffplin.so.6.0
# chmod 644 /usr/lib/RealPlayer8/Plugins/rmffplin.so.6.0
# chown root:root /usr/lib/RealPlayer8/Plugins/rmffplin.so.6.0

md5sum /usr/lib/RealPlayer8/Plugins/rmffplin.so.6.0
should display..
201de7b7acbc467846fc9cd11ff90266  /usr/lib/RealPlayer8/Plugins/rmffplin.so.6.0


 - Brian Russo


P.S.
Beware, when I last checked, the RPM (*cs2*) on Real's site, did not contain
the updated rmffplin.so, so if you just installed you are probably not safe.

Of course, as joeyh pointed out, due to Real's practices,
they may silently update in future without warning.

P.P.S
My apologies for not bringing this to your attention sooner, I was only made
aware of it recently by Nicolas Lidzborski <cpc@freeshell.org>.
Thanks Nicolas!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAjxiiX8ACgkQIkODnFTYFmZT5ACeLInmyWZcv0AiESFZ2sNOF4dJ
J5cAn0nBthWGbMXJWx79OFQqvm/NqnTC
=MszO
-----END PGP SIGNATURE-----

Reply to:

Follow-Ups:
- Re: realplayer security vulnerability
  - From: Joey Hess <joey@kitenet.net>

Prev by Date: Re: empty emails every morning from debian box
Next by Date: Re: controlling apt-get
Previous by thread: Re: empty emails every morning from debian box
Next by thread: Re: realplayer security vulnerability
Index(es):
- Date
- Thread