Debian Bug report logs - #358754
[CVE-2005-2922] Invalid chunk size heap overflow vulnerability

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Florian Weimer <fw@deneb.enyo.de>

To: submit@bugs.debian.org

Subject: [CVE-2005-2922] Invalid chunk size heap overflow vulnerability

Date: Fri, 24 Mar 2006 11:20:50 +0100

Package: helix-player
Version: 1.0.6-3
Severity: grave
Tags: security

A new vulnerability in helix-player has been disclosed.

From: labs-no-reply <labs-no-reply@idefense.com>
Subject: [VulnWatch] iDefense Security Advisory 03.23.06: RealNetworks RealPlayer and
 Helix Player Invalid Chunk Size Heap Overflow Vulnerability
To: bugtraq@securityfocus.com, vulnwatch@vulnwatch.org,
	full-disclosure@lists.grok.org.uk
Date: Thu, 23 Mar 2006 17:57:49 -0500
Message-ID: <442327ED.4050605@idefense.com>

RealNetworks RealPlayer and Helix Player Invalid Chunk Size Heap
Overflow Vulnerability

iDefense Security Advisory 03.23.06
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=404
March 23, 2006

I. BACKGROUND

RealPlayer is an application for playing various media formats,
developed by RealNetworks Inc. For more information, visit
http://www.real.com/.

II. DESCRIPTION

Remote exploitation of a heap-based buffer overflow in RealNetwork Inc's
RealPlayer could allow the execution of arbitrary code in the context of
the currently logged in user.

[...]

Message #10 received at 358754@bugs.debian.org (full text, mbox, reply):

From: Daniel Baumann <daniel.baumann@panthera-systems.net>

To: Florian Weimer <fw@deneb.enyo.de>, 358754@bugs.debian.org

Subject: Re: Bug#358754: [CVE-2005-2922] Invalid chunk size heap overflow vulnerability

Date: Fri, 24 Mar 2006 11:46:28 +0100

Florian Weimer wrote:
> A new vulnerability in helix-player has been disclosed.

I'm aware of it and opened the following bug a few hours ago about the
missing source-code.

https://bugs.helixcommunity.org/show_bug.cgi?id=4885

-- 
Address:        Daniel Baumann, Burgunderstrasse 3, CH-4562 Biberist
Email:          daniel.baumann@panthera-systems.net
Internet:       http://people.panthera-systems.net/~daniel-baumann/

Message #15 received at 358754@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: 358754@bugs.debian.org

Subject: Affected by CVE-2006-0323 as well

Date: Fri, 24 Mar 2006 13:59:52 +0100

According to
http://www.service.real.com/realplayer/security/03162006_player/en/
Helix is affected by CVE-2006-0323 as well.

Cheers,
        Moritz

Message #20 received at 358754@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: 358754@bugs.debian.org

Subject: CVE-2005-0323

Date: Mon, 27 Mar 2006 12:08:19 +0200

Hi,
It was pointed out, that Helix Player is not affected
by CVE-2006-0323, as no SWF code is integrated in Helix.

Cheers,
        Moritz

Message #25 received at 358754@bugs.debian.org (full text, mbox, reply):

From: Daniel Baumann <daniel.baumann@panthera-systems.net>

To: Rishi Mathew <rmathew@real.com>, David Hirayama <dhirayama@real.com>, Donya Shirzad <dshirzad@real.com>, Scott Nelson <snelson@real.com>, Greg Wright <gwright@real.com>, Michael Frazier <mfrazier@real.com>, kevinf@real.com

Cc: 321195@bugs.debian.org, 358754@bugs.debian.org

Subject: Last call to prevent Helix beeing removed from Debian

Date: Sun, 09 Apr 2006 16:28:14 +0200

Hi,

in December 2005, the Helix Team was informed about the undistributable
code in Helix Player (some code does not have a license at all, and the
dna code which is available separately, is even non-free). Since then,
no action was taken to solve the problem.

With the 1.0.7 release of Helix Player, the Helix Team decided to no
longer ship the source-code (the source tarball contains a src.rpm which
contains binary-only stuff, but no source-code). It can't be optained
via CVS, the respective module is empty (yes, I did login properly).
Although I opened bug #4885 on helixcommunity, there is still no
reaction to that.

Please note, that I have the *right* to get the source-code, I have
downloaded the binary and decided to use it under the GNU General Public
License, so you *must* ship it to me when I ask for it (at least for the
parts which are proper licensed).

This is your last chance - if you don't fix the two issues and/or answer
at latest until Apr, 11 2006 12:00 UTC, I will request the removal of
helix-player from Debian.

For your reference:
  * Undistributable code - http://bugs.debian.org/321195
  * No source - http://bugs.debian.org/358754

Regards,
Daniel

-- 
Address:        Daniel Baumann, Burgunderstrasse 3, CH-4562 Biberist
Email:          daniel.baumann@panthera-systems.net
Internet:       http://people.panthera-systems.net/~daniel-baumann/

Message #30 received at 358754@bugs.debian.org (full text, mbox, reply):

From: Daniel Baumann <daniel.baumann@panthera-systems.net>

To: 358754@bugs.debian.org

Subject: [Fwd: [Bug 4885] Source-Code is missing, only binary-only is provided]

Date: Mon, 10 Apr 2006 21:57:28 +0200

[Message part 1 (text/plain, inline)]

Seems like someone is alive, finally.

-- 
Address:        Daniel Baumann, Burgunderstrasse 3, CH-4562 Biberist
Email:          daniel.baumann@panthera-systems.net
Internet:       http://people.panthera-systems.net/~daniel-baumann/

[[Bug 4885] Source-Code is missing, only binary-only is provided (message/rfc822, inline)]

From: Helix Bug Tracker <admin@helixcommunity.org>

To: daniel.baumann@panthera-systems.net

Subject: [Bug 4885] Source-Code is missing, only binary-only is provided

Date: Mon, 10 Apr 2006 12:39:10 -0700

https://bugs.helixcommunity.org/show_bug.cgi?id=4885


guest changed:

           What    |Removed                     |Added                       
----------------------------------------------------------------------------
             Status|NEW                         |OPEN                        
           Severity|S4                          |S3                          
         AssignedTo|TRIAGE                      |PGM                         
           Priority|P4                          |P1                          




------- Additional Comments From guest 2006-10-04 12:39 GMT-0800 -------
TRIAGE:  This is not intentional.  We are looking into the lack of source posted for the RealPlayer
10.0.7 and the Helix Player 1.0.7 now.  

-- 
------- You are receiving this mail because: -------
You reported the bug, or are watching the reporter.


This e-mail is sent to you automatically from the Helix Bug Tracker.  Please, do
not respond to this message, but instead edit your Bug Tracker user preferences
to change when Bug Tracker sends you e-mail.

Message #35 received at 358754@bugs.debian.org (full text, mbox, reply):

From: "mfrazier" <mfrazier@real.com>

To: daniel.baumann@panthera-systems.net, "'Rishi Mathew'" <rmathew@real.com>, "'David Hirayama'" <dhirayama@real.com>, "'Donya Shirzad'" <dshirzad@real.com>, "'Scott Nelson'" <snelson@real.com>, "'Greg Wright'" <gwright@real.com>, kevinf@real.com

Cc: 321195@bugs.debian.org, 358754@bugs.debian.org

Subject: RE: Last call to prevent Helix beeing removed from Debian

Date: Mon, 10 Apr 2006 14:14:18 -0700

Daniel - 

We are looking into this issue right now and I will respond with our
official plan once I have all the information.  I hope to send out email by
end of day.

One very important correction in your characterization of the issue below is
that the Helix Team did NOT decide to no longer ship the source-code.  We
understand this is an absolute requirement and we are working on rectifying
the situation.

I do have a question for you so hopefully you can enlighten me on how would
you suggest we add license headers to a .bmp files.  

Mike


> -----Original Message-----
> From: Daniel Baumann [mailto:daniel.baumann@panthera-systems.net]
> Sent: Sunday, April 09, 2006 7:28 AM
> To: Rishi Mathew; David Hirayama; Donya Shirzad; Scott Nelson; Greg
> Wright; Michael Frazier; kevinf@real.com
> Cc: 321195@bugs.debian.org; 358754@bugs.debian.org
> Subject: Last call to prevent Helix beeing removed from Debian
> 
> Hi,
> 
> in December 2005, the Helix Team was informed about the undistributable
> code in Helix Player (some code does not have a license at all, and the
> dna code which is available separately, is even non-free). Since then,
> no action was taken to solve the problem.
> 
> With the 1.0.7 release of Helix Player, the Helix Team decided to no
> longer ship the source-code (the source tarball contains a src.rpm which
> contains binary-only stuff, but no source-code). It can't be optained
> via CVS, the respective module is empty (yes, I did login properly).
> Although I opened bug #4885 on helixcommunity, there is still no
> reaction to that.
> 
> Please note, that I have the *right* to get the source-code, I have
> downloaded the binary and decided to use it under the GNU General Public
> License, so you *must* ship it to me when I ask for it (at least for the
> parts which are proper licensed).
> 
> This is your last chance - if you don't fix the two issues and/or answer
> at latest until Apr, 11 2006 12:00 UTC, I will request the removal of
> helix-player from Debian.
> 
> For your reference:
>   * Undistributable code - http://bugs.debian.org/321195
>   * No source - http://bugs.debian.org/358754
> 
> Regards,
> Daniel
> 
> --
> Address:        Daniel Baumann, Burgunderstrasse 3, CH-4562 Biberist
> Email:          daniel.baumann@panthera-systems.net
> Internet:       http://people.panthera-systems.net/~daniel-baumann/

Message #40 received at 358754@bugs.debian.org (full text, mbox, reply):

From: Daniel Baumann <daniel.baumann@panthera-systems.net>

To: mfrazier@real.com

Cc: 'Rishi Mathew' <rmathew@real.com>, 'David Hirayama' <dhirayama@real.com>, 'Donya Shirzad' <dshirzad@real.com>, 'Scott Nelson' <snelson@real.com>, 'Greg Wright' <gwright@real.com>, kevinf@real.com, 321195@bugs.debian.org, 358754@bugs.debian.org

Subject: Re: Last call to prevent Helix beeing removed from Debian

Date: Mon, 10 Apr 2006 23:46:34 +0200

mfrazier wrote:
> We are looking into this issue right now and I will respond with our
> official plan once I have all the information.  I hope to send out email by
> end of day.

Fine, thanks for your answer.

> I do have a question for you so hopefully you can enlighten me on how would
> you suggest we add license headers to a .bmp files.

I suggest you do the following three things.

1. put build/LICENSE.txt, build/RCSL.txt, build/RPSL.txt, and
   build/GPL.txt into the root-directory of the source-tarball.

2. Change the following line in LICENSE.txt:

   Old: "Alternatively, the contents of this directory may be used under
         the terms of the GNU General Public License Version 2 or later"

   New: "Alternatively, the contents of this directory, and (except
         where otherwise indicated) the directories included within this
         directory, may be used under the terms of the GNU General
         Public License Version 2 or later"

If you license it like this, we can properly redistribute helix-player.
Please also consider to adjust these changes for the other helix
products (Producer, Server, DNA Client etc.), so we can include those
packages too.

Regards,
Daniel

-- 
Address:        Daniel Baumann, Burgunderstrasse 3, CH-4562 Biberist
Email:          daniel.baumann@panthera-systems.net
Internet:       http://people.panthera-systems.net/~daniel-baumann/

Message #45 received at 358754-close@bugs.debian.org (full text, mbox, reply):

From: Daniel Baumann <daniel.baumann@panthera-systems.net>

To: 358754-close@bugs.debian.org

Subject: Bug#358754: fixed in helix-player 1.0.7-1

Date: Sat, 22 Apr 2006 14:18:07 -0700

Source: helix-player
Source-Version: 1.0.7-1

We believe that the bug you reported is fixed in the latest version of
helix-player, which is due to be installed in the Debian FTP archive:

helix-player_1.0.7-1.diff.gz
  to pool/main/h/helix-player/helix-player_1.0.7-1.diff.gz
helix-player_1.0.7-1.dsc
  to pool/main/h/helix-player/helix-player_1.0.7-1.dsc
helix-player_1.0.7-1_i386.deb
  to pool/main/h/helix-player/helix-player_1.0.7-1_i386.deb
helix-player_1.0.7.orig.tar.gz
  to pool/main/h/helix-player/helix-player_1.0.7.orig.tar.gz
mozilla-helix-player_1.0.7-1_i386.deb
  to pool/main/h/helix-player/mozilla-helix-player_1.0.7-1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 358754@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Daniel Baumann <daniel.baumann@panthera-systems.net> (supplier of updated helix-player package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 19 Apr 2006 07:47:00 +0100
Source: helix-player
Binary: mozilla-helix-player helix-player
Architecture: source i386
Version: 1.0.7-1
Distribution: unstable
Urgency: high
Maintainer: Daniel Baumann <daniel.baumann@panthera-systems.net>
Changed-By: Daniel Baumann <daniel.baumann@panthera-systems.net>
Description: 
 helix-player - the helix audio and video player
 mozilla-helix-player - the helix audio and video player (browser plugin)
Closes: 339469 358754
Changes: 
 helix-player (1.0.7-1) unstable; urgency=high
 .
   * New upstream release:
     - fixes multiple heap-based buffer overflows adressed in CVE 2005-2922
       (Closes: #358754).
     - some buildsystem fixes (Closes: #339469).
Files: 
 d79bdd12a6320f064b9ed3c164488233 864 graphics optional helix-player_1.0.7-1.dsc
 a10168bf83e6edbbc8bc51923554fd60 18584434 graphics optional helix-player_1.0.7.orig.tar.gz
 893f8e96caf8a2c7c474b257ecfda880 11350 graphics optional helix-player_1.0.7-1.diff.gz
 840f2d83136124626dbffb931ac509b2 4170220 graphics optional helix-player_1.0.7-1_i386.deb
 6a89e9144999f92058baf642a77cdf07 48852 web optional mozilla-helix-player_1.0.7-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFESnbAxa93SlhRC1oRAlXwAJ9dWxVSh9FMW3eReP5pf27GRA2E5QCeKF7s
jDEED5Zj2rKXx/Ax4dsHkJM=
=MYRg
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.