Debian Bug report logs - #316276
security update

version graph

Package: helix-player; Maintainer for helix-player is (unknown);

Reported by: daniel.baumann@panthera-systems.net

Date: Wed, 29 Jun 2005 20:03:03 UTC

Severity: serious

Tags: security

Fixed in version helix-player/1.0.5-1

Done: Daniel Baumann <daniel.baumann@panthera-systems.net>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Thomas Maurer <tma@hispeed.ch>:
Bug#316276; Package helix-player. Full text and rfc822 format available.

Acknowledgement sent to daniel.baumann@panthera-systems.net:
New Bug report received and forwarded. Copy sent to Thomas Maurer <tma@hispeed.ch>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Daniel Baumann <daniel.baumann@panthera-systems.net>
To: submit@bugs.debian.org
Subject: New upstream release
Date: Wed, 29 Jun 2005 21:54:28 +0200
Package: helix-player
Severity: wishlist

Helix Player 10.0.5 is available.

-- 
Address:        Daniel Baumann, Burgunderstrasse 3, CH-4562 Biberist
Email:          daniel.baumann@panthera-systems.net
Internet:       http://people.panthera-systems.net/~daniel-baumann/



Changed Bug title. Request was from Daniel Baumann <daniel.baumann@panthera-systems.net> to control@bugs.debian.org. Full text and rfc822 format available.

Severity set to `serious'. Request was from Daniel Baumann <daniel.baumann@panthera-systems.net> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Thomas Maurer <tma@hispeed.ch>:
Bug#316276; Package helix-player. Full text and rfc822 format available.

Acknowledgement sent to daniel.baumann@panthera-systems.net:
Extra info received and forwarded to list. Copy sent to Thomas Maurer <tma@hispeed.ch>. Full text and rfc822 format available.

Message #14 received at 316276@bugs.debian.org (full text, mbox):

From: Daniel Baumann <daniel.baumann@panthera-systems.net>
To: 316276@bugs.debian.org
Subject: security update
Date: Wed, 27 Jul 2005 15:40:10 +0200
When do you intend to update the package?

-- 
Address:        Daniel Baumann, Burgunderstrasse 3, CH-4562 Biberist
Email:          daniel.baumann@panthera-systems.net
Internet:       http://people.panthera-systems.net/~daniel-baumann/



Tags added: security Request was from Frank Lichtenheld <djpig@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#316276; Package helix-player. Full text and rfc822 format available.

Acknowledgement sent to Thomas Maurer <tma@hispeed.ch>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #21 received at 316276@bugs.debian.org (full text, mbox):

From: Thomas Maurer <tma@hispeed.ch>
To: 316276@bugs.debian.org, daniel.baumann@panthera-systems.net
Subject: Re: Bug#316276: security update
Date: Sun, 07 Aug 2005 20:41:20 +0200
Am Mittwoch, den 27.07.2005, 15:40 +0200 schrieb Daniel Baumann:
> When do you intend to update the package?

Hi,

I'm still very busy, and only online at weekends.

If you can do an NMU, do it!

In 2 weeks I'm back at home, and a lot more online, thus can solve this
problem.

Thanks for help in advance.

Thomas




Information forwarded to debian-bugs-dist@lists.debian.org, Thomas Maurer <tma@hispeed.ch>:
Bug#316276; Package helix-player. Full text and rfc822 format available.

Acknowledgement sent to daniel.baumann@panthera-systems.net:
Extra info received and forwarded to list. Copy sent to Thomas Maurer <tma@hispeed.ch>. Full text and rfc822 format available.

Message #26 received at 316276@bugs.debian.org (full text, mbox):

From: Daniel Baumann <daniel.baumann@panthera-systems.net>
To: 316276@bugs.debian.org
Subject: Still interested?
Date: Mon, 19 Sep 2005 15:43:25 +0200
Hi,

six(!) weeks ago, you said you will have time to upgrade in 2 weeks. But
unfortunately, since a month still nothing happened.

This bug is not a wish, it is a must fix, because it affects users
security. It is known unfixed for nearly three month now, please take it
serious and respond asap.

If you are no longer interested in maintaining helix-player, please
tell. Besides that, if there will be no answer within the next week, I
will at latest hijack this package in two weeks due the fact that the
package is not being maintained anymore.

Regards,
Daniel

-- 
Address:        Daniel Baumann, Burgunderstrasse 3, CH-4562 Biberist
Email:          daniel.baumann@panthera-systems.net
Internet:       http://people.panthera-systems.net/~daniel-baumann/



Information forwarded to debian-bugs-dist@lists.debian.org, Thomas Maurer <tma@hispeed.ch>:
Bug#316276; Package helix-player. Full text and rfc822 format available.

Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
Extra info received and forwarded to list. Copy sent to Thomas Maurer <tma@hispeed.ch>. Full text and rfc822 format available.

Message #31 received at 316276@bugs.debian.org (full text, mbox):

From: Florian Weimer <fw@deneb.enyo.de>
To: daniel.baumann@panthera-systems.net
Cc: 316276@bugs.debian.org
Subject: Re: Bug#316276: Still interested?
Date: Mon, 19 Sep 2005 19:10:29 +0200
Hi Daniel,

could you provide details why you tagged this bug "security", please?

Which vulnerablities are fixed?  Is there a CAN assignment from MITRE?

Thanks,
Florian




Information forwarded to debian-bugs-dist@lists.debian.org, Thomas Maurer <tma@hispeed.ch>:
Bug#316276; Package helix-player. Full text and rfc822 format available.

Acknowledgement sent to daniel.baumann@panthera-systems.net:
Extra info received and forwarded to list. Copy sent to Thomas Maurer <tma@hispeed.ch>. Full text and rfc822 format available.

Message #36 received at 316276@bugs.debian.org (full text, mbox):

From: Daniel Baumann <daniel.baumann@panthera-systems.net>
To: Florian Weimer <fw@deneb.enyo.de>
Cc: 316276@bugs.debian.org
Subject: Re: Bug#316276: Still interested?
Date: Mon, 19 Sep 2005 20:14:58 +0200
Florian Weimer wrote:
> could you provide details why you tagged this bug "security", please?

Of course..

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1766

Heap-based buffer overflow in vidplin.dll in RealPlayer 10 and 10.5
(6.0.12.1040 through 1069), RealOne Player v1 and v2, RealPlayer 8 and
RealPlayer Enterprise allows remote attackers to execute arbitrary code
via an .avi file with a modified strf structure value.

-- 
Address:        Daniel Baumann, Burgunderstrasse 3, CH-4562 Biberist
Email:          daniel.baumann@panthera-systems.net
Internet:       http://people.panthera-systems.net/~daniel-baumann/



Information forwarded to debian-bugs-dist@lists.debian.org, Thomas Maurer <tma@hispeed.ch>:
Bug#316276; Package helix-player. Full text and rfc822 format available.

Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
Extra info received and forwarded to list. Copy sent to Thomas Maurer <tma@hispeed.ch>. Full text and rfc822 format available.

Message #41 received at 316276@bugs.debian.org (full text, mbox):

From: Florian Weimer <fw@deneb.enyo.de>
To: daniel.baumann@panthera-systems.net
Cc: 316276@bugs.debian.org
Subject: Re: Bug#316276: Still interested?
Date: Mon, 19 Sep 2005 20:29:11 +0200
* Daniel Baumann:

> Florian Weimer wrote:
>> could you provide details why you tagged this bug "security", please?
>
> Of course..
>
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1766
>
> Heap-based buffer overflow in vidplin.dll in RealPlayer 10 and 10.5
> (6.0.12.1040 through 1069), RealOne Player v1 and v2, RealPlayer 8 and
> RealPlayer Enterprise allows remote attackers to execute arbitrary code
> via an .avi file with a modified strf structure value.

Ah, I see, thanks a lot.  I've added this information to our tracker.
We missed it before because the CVE entry talks about RealPlayer only,
and we still have to adjust to the existence of Helix Player. 8-)



Information forwarded to debian-bugs-dist@lists.debian.org, Thomas Maurer <tma@hispeed.ch>:
Bug#316276; Package helix-player. Full text and rfc822 format available.

Acknowledgement sent to daniel.baumann@panthera-systems.net:
Extra info received and forwarded to list. Copy sent to Thomas Maurer <tma@hispeed.ch>. Full text and rfc822 format available.

Message #46 received at 316276@bugs.debian.org (full text, mbox):

From: Daniel Baumann <daniel.baumann@panthera-systems.net>
To: 316276@bugs.debian.org
Subject: Last try
Date: Sun, 25 Sep 2005 11:30:02 +0200
Hi,

as I got no answer at all from Thomas Maurer, I will hijack this package
in the beginning of the next week.

Thomas, if you are reading this, this is your last possibility to react.

Regards,
Daniel

-- 
Address:        Daniel Baumann, Burgunderstrasse 3, CH-4562 Biberist
Email:          daniel.baumann@panthera-systems.net
Internet:       http://people.panthera-systems.net/~daniel-baumann/



Information forwarded to debian-bugs-dist@lists.debian.org, Thomas Maurer <tma@hispeed.ch>:
Bug#316276; Package helix-player. Full text and rfc822 format available.

Acknowledgement sent to tma@hispeed.ch:
Extra info received and forwarded to list. Copy sent to Thomas Maurer <tma@hispeed.ch>. Full text and rfc822 format available.

Message #51 received at 316276@bugs.debian.org (full text, mbox):

From: "Thomas Maurer" <tma@hispeed.ch>
To: daniel.baumann@panthera-systems.net, 316276@bugs.debian.org
Subject: Re: [helix-maintainers] Bug#316276: Last try
Date: Sun, 25 Sep 2005 12:22:17 +0200 (CEST)
> Hi,
>
> as I got no answer at all from Thomas Maurer, I will hijack this package
> in the beginning of the next week.
>
> Thomas, if you are reading this, this is your last possibility to react.

Ehm, I don't understand your concerns.

I tried to contact some debian devs who could help me out and upload the
package, but didn't succeed till now. Could you help out? Hm, but you
aren't a debian dev, too.

The security update for sarge does the security team, so I unterstood.

Thomas



Information forwarded to debian-bugs-dist@lists.debian.org, Thomas Maurer <tma@hispeed.ch>:
Bug#316276; Package helix-player. Full text and rfc822 format available.

Acknowledgement sent to daniel.baumann@panthera-systems.net:
Extra info received and forwarded to list. Copy sent to Thomas Maurer <tma@hispeed.ch>. Full text and rfc822 format available.

Message #56 received at 316276@bugs.debian.org (full text, mbox):

From: Daniel Baumann <daniel.baumann@panthera-systems.net>
To: tma@hispeed.ch
Cc: 316276@bugs.debian.org
Subject: Re: [helix-maintainers] Bug#316276: Last try
Date: Sun, 25 Sep 2005 12:44:49 +0200
Thomas Maurer wrote:
> Ehm, I don't understand your concerns.

Why do you answer only now?

> I tried to contact some debian devs who could help me out and upload the
> package, but didn't succeed till now. Could you help out? Hm, but you
> aren't a debian dev, too.

You should document what you do, via the BTS preferably.

> The security update for sarge does the security team, so I unterstood.

No. It is your job to manage and coordinate security updates *together*
with the security team. How do they know about a security fix if you
don't tell them?

Please take this serious, get in touch with the security team asap,
prepare a new package asap and take care about the other bugs,
especially to #309121 as it makes helix-player not usable/buildable at
all on !sarge.

I'm a bit disappointed on how you maintain your package. With the the
very long delays both with answering and reacting you showed in #291596,
#305504 and now the same situation again.

I'm worried if you are willing and able to maintain the package at all.
It is your *only* package in the archive, maybe you should reconsider
your priorities?

Friendly,
Daniel

-- 
Address:        Daniel Baumann, Burgunderstrasse 3, CH-4562 Biberist
Email:          daniel.baumann@panthera-systems.net
Internet:       http://people.panthera-systems.net/~daniel-baumann/



Information forwarded to debian-bugs-dist@lists.debian.org, Thomas Maurer <tma@hispeed.ch>:
Bug#316276; Package helix-player. Full text and rfc822 format available.

Acknowledgement sent to daniel.baumann@panthera-systems.net:
Extra info received and forwarded to list. Copy sent to Thomas Maurer <tma@hispeed.ch>. Full text and rfc822 format available.

Message #61 received at 316276@bugs.debian.org (full text, mbox):

From: Daniel Baumann <daniel.baumann@panthera-systems.net>
To: team@security.debian.org
Cc: 316276@bugs.debian.org
Subject: helix-player several vulnerabilities
Date: Sun, 25 Sep 2005 12:58:45 +0200
[Message part 1 (text/plain, inline)]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

I have an eye on helix-player since quite a long time. Unfortunately,
the maintainer is not very reactive. Since he didn't respond except
today, I originally wanted to do the security-update myself. Now, this
will be done by the original maintainer I guess/hope.

However.. to support you in your work, I wrote a proposal for the DSA
(Attached).

Regards,
Daniel

- --
Address:        Daniel Baumann, Burgunderstrasse 3, CH-4562 Biberist
Email:          daniel.baumann@panthera-systems.net
Internet:       http://people.panthera-systems.net/~daniel-baumann/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDNoLl+C5cwEsrK54RAlx5AKCcSy5xWqTaxDMC2JdUD13R6awj9gCg15Lj
PBOvK694RagJHHoEqefatRY=
=xKKY
-----END PGP SIGNATURE-----
[helix-player-1.0.5_dsa-proposal.txt (text/plain, inline)]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - ------------------------------------------------------------------------
Debian Security Advisory Proposal                     Helix Player 1.0.5
http://www.daniel-baumann.ch/                             Daniel Baumann
September 25, 2005
- - ------------------------------------------------------------------------

Package        : helix-player
Vulnerability  : several
Problem-Type   : remote
Debian-specific: no
CVE ID         : CAN-2005-1766 CAN-2005-2052 CAN-2005-2054 CAN-2005-2055

Several vulnerabilities have been discovered in helix-player, a GTK2 based
media player written in C++. The Common Vulnerabilities and Exposures
project identifies the following problems:

CAN-2005-1766

	Piotr Bania discovered how to fashion a malicious RAM file to
	cause a buffer overflow which allowed an attacker to execute
	arbitrary code on a customer's machine.

CAN-2005-2052 CAN-2005-2054 CAN-2005-2055

	eEye Digital Security discovered how to fashion a malicious
	RealMedia file which uses RealText to cause a heap overflow to
	allow an attacker to execute arbitrary code on a customer's
	machine.

The old stable distribution (woody) does not contain helix-player
packages.

For the stable distribution (sarge) these problems have been fixed in
version 1.0.5-1sarge1.

For the unstable distribution (sid) these problems have been fixed in
version 1.0.5-1.

We recommend that you upgrade your helix-player package.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDNoKI+C5cwEsrK54RAhVRAKCUpHNMuM4mPZKjKFCL0FrO9iLvcACffUu4
ZUQg2rQQOQOCKNfhs5tA/XE=
=j6WA
-----END PGP SIGNATURE-----

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#316276; Package helix-player. Full text and rfc822 format available.

Acknowledgement sent to Thomas Maurer <tma@hispeed.ch>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #66 received at 316276@bugs.debian.org (full text, mbox):

From: Thomas Maurer <tma@hispeed.ch>
To: 316276@bugs.debian.org, daniel.baumann@panthera-systems.net
Cc: team@security.debian.org
Subject: Re: Bug#316276: helix-player several vulnerabilities
Date: Sun, 25 Sep 2005 14:22:07 +0200
Thank you very much, Daniel. This looks good to me, except to the
following:

Am Sonntag, den 25.09.2005, 12:58 +0200 schrieb Daniel Baumann:
> For the stable distribution (sarge) these problems have been fixed in
> version 1.0.5-1sarge1.

It's version 1.0.4-1sarge0.
See: http://people.csail.mit.edu/noahm/debian/

> For the unstable distribution (sid) these problems have been fixed in
> version 1.0.5-1.

Thomas




Information forwarded to debian-bugs-dist@lists.debian.org, Thomas Maurer <tma@hispeed.ch>:
Bug#316276; Package helix-player. Full text and rfc822 format available.

Acknowledgement sent to daniel.baumann@panthera-systems.net:
Extra info received and forwarded to list. Copy sent to Thomas Maurer <tma@hispeed.ch>. Full text and rfc822 format available.

Message #71 received at 316276@bugs.debian.org (full text, mbox):

From: Daniel Baumann <daniel.baumann@panthera-systems.net>
To: team@security.debian.org
Cc: 316276@bugs.debian.org
Subject: helix-player for stable-security
Date: Sun, 25 Sep 2005 18:13:10 +0200
Hi,

with maintainers blessing, I made a package with the backported
security-fix from helix-player 1.0.5 which fixes the already mentioned
arbitrary code executions.

Please upload the following package as soon as possible:

http://archive.daniel-baumann.ch/debian/packages/helix-player/1.0.4-1sarge1/

Regards,
Daniel

-- 
Address:        Daniel Baumann, Burgunderstrasse 3, CH-4562 Biberist
Email:          daniel.baumann@panthera-systems.net
Internet:       http://people.panthera-systems.net/~daniel-baumann/



Information forwarded to debian-bugs-dist@lists.debian.org, Thomas Maurer <tma@hispeed.ch>:
Bug#316276; Package helix-player. Full text and rfc822 format available.

Acknowledgement sent to Noah Meyerhans <noahm@debian.org>:
Extra info received and forwarded to list. Copy sent to Thomas Maurer <tma@hispeed.ch>. Full text and rfc822 format available.

Message #76 received at 316276@bugs.debian.org (full text, mbox):

From: Noah Meyerhans <noahm@debian.org>
To: Daniel Baumann <daniel.baumann@panthera-systems.net>
Cc: team@security.debian.org, 316276@bugs.debian.org
Subject: Re: helix-player for stable-security
Date: Mon, 26 Sep 2005 11:47:27 -0400
[Message part 1 (text/plain, inline)]
On Sun, Sep 25, 2005 at 06:13:10PM +0200, Daniel Baumann wrote:
> with maintainers blessing, I made a package with the backported
> security-fix from helix-player 1.0.5 which fixes the already mentioned
> arbitrary code executions.

The security team has already prepared an upload.  While your efforts
are appreciated, they are redundant.

[signature.asc (application/pgp-signature, inline)]

Reply sent to Daniel Baumann <daniel.baumann@panthera-systems.net>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to daniel.baumann@panthera-systems.net:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #81 received at 316276-close@bugs.debian.org (full text, mbox):

From: Daniel Baumann <daniel.baumann@panthera-systems.net>
To: 316276-close@bugs.debian.org
Subject: Bug#316276: fixed in helix-player 1.0.5-1
Date: Mon, 26 Sep 2005 11:17:12 -0700
Source: helix-player
Source-Version: 1.0.5-1

We believe that the bug you reported is fixed in the latest version of
helix-player, which is due to be installed in the Debian FTP archive:

helix-player_1.0.5-1.diff.gz
  to pool/main/h/helix-player/helix-player_1.0.5-1.diff.gz
helix-player_1.0.5-1.dsc
  to pool/main/h/helix-player/helix-player_1.0.5-1.dsc
helix-player_1.0.5-1_i386.deb
  to pool/main/h/helix-player/helix-player_1.0.5-1_i386.deb
helix-player_1.0.5.orig.tar.gz
  to pool/main/h/helix-player/helix-player_1.0.5.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 316276@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Daniel Baumann <daniel.baumann@panthera-systems.net> (supplier of updated helix-player package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 25 Sep 2005 19:13:00 +0200
Source: helix-player
Binary: helix-player
Architecture: source i386
Version: 1.0.5-1
Distribution: unstable
Urgency: high
Maintainer: Daniel Baumann <daniel.baumann@panthera-systems.net>
Changed-By: Daniel Baumann <daniel.baumann@panthera-systems.net>
Description: 
 helix-player - The Helix Community's open source media player
Closes: 316276
Changes: 
 helix-player (1.0.5-1) unstable; urgency=high
 .
   * New upstream release:
     - fixes security problems in datatype/text/realtext/fileformat/rtffplin.cpp
       addressed in CAN-2005-1766, CAN-2005-2052, CAN-2005-2054, and
       CAN-2005-2055 (Closes: #316276).
   * Forced use of gcc-3.4/g++-3.4 in build/umakecf/gcc.cf and updated depends.
   * In agreement with Thomas, I setup myself as maintainer.
   * Bumped policy version.
Files: 
 3fc8eeaecfd2cb1011d049a738912b15 967 graphics optional helix-player_1.0.5-1.dsc
 5d6c0992c5d2e348425c316a8b1b9b6d 18181442 graphics optional helix-player_1.0.5.orig.tar.gz
 7c1cbb90656a9402299d8af4b7d4d379 7542 graphics optional helix-player_1.0.5-1.diff.gz
 35359c6e9b221f00157995e5504ff971 4208276 graphics optional helix-player_1.0.5-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iEYEARECAAYFAkM4MtkACgkQELuA/Ba9d8bVEgCg6ip/kA3HAEZieVwRoPmErkLk
6j0AoMLVwFOa5QQw4Ei6xH2iZe4N4CgL
=eFga
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 26 Jun 2007 14:35:57 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 21:42:30 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.