Debian Bug report logs - #132528
realplayer: Buffer Overrun Exploit

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Nicolas Lidzborski <cpc@freeshell.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: realplayer: Buffer Overrun Exploit

Date: Tue, 05 Feb 2002 16:12:17 -0800

Package: realplayer
Version: 8.0.6
Severity: grave
Tags: security
Justification: user security hole

Real has discovered a buffer overrun in one of their libs used by RealPlayer.
They provide a new lib to replace the flawed one.

Check:
http://www.service.real.com/help/faq/security/bufferoverrun.html

Could be a good idea to download the patch (just the rmffplin library) and
to strip it afterwards.

-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux gandalf.intalio.com 2.4.14 #6 Sat Nov 10 13:25:00 PST 2001 i686
Locale: LANG=C, LC_CTYPE=fr_FR@euro

Versions of packages realplayer depends on:
ii  cpio                          2.4.2-39   GNU cpio -- a program to manage ar
ii  debconf                       1.0.25     Debian configuration management sy
ii  libc6                         2.2.4-7    GNU C Library: Shared libraries an
ii  xlib6g                        4.1.0-13   pseudopackage providing X librarie
ii  xlibs                         4.1.0-13   X Window System client libraries

Message #10 received at 132528@bugs.debian.org (full text, mbox, reply):

From: Brian Russo <brian@entropy.net>

To: Nicolas Lidzborski <cpc@freeshell.org>

Cc: debian-devel@lists.debian.org

Subject: Re: Bug#132528: realplayer: Buffer Overrun Exploit

Date: Tue, 5 Feb 2002 19:50:50 -0500

Is this .so freely distributable?
probably not, I don't see how I would really go about 
'patching' this if I cannot distribute the patch.

Real has not released a new version of the RPM (still cs2),
so unless they have 'silently' added the new .so,
there's not much I can do. Else I could release a new .deb,
which asks for the new rpm. Better than nothing, 'twould be.

Perhaps I should make some kind of announcement telling people to
apply the patch themselves.


I'm open to suggestions...


 - bri


At Tue, Feb 05, 2002 at 04:12:17PM -0800, Nicolas Lidzborski wrote:
> Package: realplayer
> Version: 8.0.6
> Severity: grave
> Tags: security
> Justification: user security hole
> 
> Real has discovered a buffer overrun in one of their libs used by RealPlayer.
> They provide a new lib to replace the flawed one.
> 
> Check:
> http://www.service.real.com/help/faq/security/bufferoverrun.html
> 
> Could be a good idea to download the patch (just the rmffplin library) and
> to strip it afterwards.

-- 
/\_/\  Brian Russo                 <brian@entropy.net> 
\. ./  Debian/GNU Linux Developer  <wolfie@debian.org>
/\_/\  404E 87E8 DD0C 275B 742B 09AD 2243 839C 54D8 1666

Message #15 received at 132528@bugs.debian.org (full text, mbox, reply):

From: Jamie Wilkinson <jaq@spacepants.org>

To: 132528@bugs.debian.org

Subject: Re: Bug#132528: realplayer: Buffer Overrun Exploit

Date: Wed, 6 Feb 2002 12:38:21 +1100

This one time, at band camp, Brian Russo wrote:
>Is this .so freely distributable?
>probably not, I don't see how I would really go about 
>'patching' this if I cannot distribute the patch.
>
>Real has not released a new version of the RPM (still cs2),
>so unless they have 'silently' added the new .so,
>there's not much I can do. Else I could release a new .deb,
>which asks for the new rpm. Better than nothing, 'twould be.

You could download the extra .so in your postinst and install it, or add a
debconf note suggesting that the admin downloads it to a place where you can
install it from.

-- 
jaq@spacepants.org                           http://spacepants.org/jaq.gpg
 
<dopey_rant> polls = trolls

Message #20 received at 132528@bugs.debian.org (full text, mbox, reply):

From: Brian Russo <brian@entropy.net>

To: Jamie Wilkinson <jaq@spacepants.org>, 132528@bugs.debian.org

Cc: debian-devel@lists.debian.org

Subject: Re: Bug#132528: realplayer: Buffer Overrun Exploit

Date: Thu, 7 Feb 2002 09:18:32 -0500

At Wed, Feb 06, 2002 at 12:38:21PM +1100, Jamie Wilkinson wrote:
> This one time, at band camp, Brian Russo wrote:
> >Is this .so freely distributable?
> >probably not, I don't see how I would really go about 
> >'patching' this if I cannot distribute the patch.
> >
> >Real has not released a new version of the RPM (still cs2),
> >so unless they have 'silently' added the new .so,
> >there's not much I can do. Else I could release a new .deb,
> >which asks for the new rpm. Better than nothing, 'twould be.
> 
> You could download the extra .so in your postinst and install it, or add a
> debconf note suggesting that the admin downloads it to a place where you can
> install it from.

I don't like the downloading-from-the-web idea,
mainly because it's buggy and won't work for everyone.

I emailed -user with a mini advisory for now.

Message #25 received at 132528@bugs.debian.org (full text, mbox, reply):

From: Matt Zimmerman <mdz@debian.org>

To: 132528@bugs.debian.org

Subject: Re: Bug#132528: realplayer: Buffer Overrun Exploit

Date: Sun, 10 Mar 2002 11:38:47 -0500

realplayer has now been removed from woody because of this bug.  Do you have
plans to do something about this?

-- 
 - mdz

Message #30 received at 132528@bugs.debian.org (full text, mbox, reply):

From: Martin Michlmayr <tbm@cyrius.com>

To: Matt Zimmerman <mdz@debian.org>, 132528@bugs.debian.org

Cc: Thomas Seyrat <thomas@glou.net>

Subject: Re: Bug#132528: realplayer: Buffer Overrun Exploit

Date: Sun, 10 Mar 2002 19:36:53 +0100

* Matt Zimmerman <mdz@debian.org> [20020310 11:38]:
> realplayer has now been removed from woody because of this bug.  Do
> you have plans to do something about this?

Matt, realplayer has been orphaned.  Thomas Seyrat wanted to adopt it
but he's waiting for the DAM to approve him.  Perhaps you want to
sponsor his upload?

-- 
Martin Michlmayr
tbm@cyrius.com

Message #35 received at 132528@bugs.debian.org (full text, mbox, reply):

From: Thomas Seyrat <thomas@glou.net>

To: Martin Michlmayr <tbm@cyrius.com>

Cc: Matt Zimmerman <mdz@debian.org>, 132528@bugs.debian.org

Subject: Re: Bug#132528: realplayer: Buffer Overrun Exploit

Date: Sun, 10 Mar 2002 20:15:22 +0100

Martin Michlmayr écrivait:
> * Matt Zimmerman <mdz@debian.org> [20020310 11:38]:
> > realplayer has now been removed from woody because of this bug.  Do
> > you have plans to do something about this?
> Matt, realplayer has been orphaned.  Thomas Seyrat wanted to adopt it
> but he's waiting for the DAM to approve him.  Perhaps you want to
> sponsor his upload?

  Indeed I recently adopted this package, and prepared a preliminary
  new version fixing some of the minor bugs. Yet, as I am not yet a real
  debconf expert, I have some trouble fixing the RC one, since the
  security problem has to be fixed with user intervention at postinst
  time.

  I hope I can find how to fix it soon, then give it to a DD for upload.

-- 
Thomas Seyrat.

Message #40 received at 132528@bugs.debian.org (full text, mbox, reply):

From: Matt Zimmerman <mdz@debian.org>

To: Martin Michlmayr <tbm@cyrius.com>

Cc: 132528@bugs.debian.org, Thomas Seyrat <thomas@glou.net>

Subject: Re: Bug#132528: realplayer: Buffer Overrun Exploit

Date: Sun, 10 Mar 2002 18:51:15 -0500

On Sun, Mar 10, 2002 at 07:36:53PM +0100, Martin Michlmayr wrote:

> * Matt Zimmerman <mdz@debian.org> [20020310 11:38]:
> > realplayer has now been removed from woody because of this bug.  Do
> > you have plans to do something about this?
> 
> Matt, realplayer has been orphaned.  Thomas Seyrat wanted to adopt it
> but he's waiting for the DAM to approve him.  Perhaps you want to
> sponsor his upload?

I didn't realize this...the realplayer in unstable still says:

Maintainer: Brian Russo <wolfie@debian.org>

I will see about sponsoring an upload when Thomas has fixed packages.

-- 
 - mdz

Message #45 received at 132528-done@bugs.debian.org (full text, mbox, reply):

From: Colin Watson <cjwatson@debian.org>

To: 106518-done@bugs.debian.org, 108649-done@bugs.debian.org, 121796-done@bugs.debian.org, 122747-done@bugs.debian.org, 126292-done@bugs.debian.org, 128031-done@bugs.debian.org, 129778-done@bugs.debian.org, 131529-done@bugs.debian.org, 132528-done@bugs.debian.org, 138835-done@bugs.debian.org, 142215-done@bugs.debian.org, 143626-done@bugs.debian.org, 145431-done@bugs.debian.org, 149193-done@bugs.debian.org, 150806-done@bugs.debian.org, 160466-done@bugs.debian.org, 164274-done@bugs.debian.org

Subject: realplayer has been removed from the Debian archive

Date: Sat, 23 Nov 2002 18:34:37 +0000

Hi,

The realplayer package has been removed from the Debian archive, so I'm
closing its bugs. If anybody is going to reintroduce it, please be sure
to fix at least the release-critical bugs first.

=========================================================================
[Date: Mon, 11 Nov 2002 06:43:42 -0500] [ftpmaster: Anthony Towns]
Removed the following packages from unstable:

realplayer |      8.0.6 | source, i386

------------------- Reason -------------------
purged by RM; see bugs 132528 143626 150806
----------------------------------------------
=========================================================================

Regards,

-- 
Colin Watson                                  [cjwatson@flatline.org.uk]

Send a report that this bug log contains spam.