SuSE: 2005-026: RealPlayer buffer overflow in RAM file handling Security Update
Summary
-----BEGIN PGP SIGNED MESSAGE-----
______________________________________________________________________________
SUSE Security Announcement
Package: RealPlayer
Announcement-ID: SUSE-SA:2005:026
Date: Wed, 20 Apr 2005 09:00:00 +0000
Affected products: 9.2, 9.3
Novell Linux Desktop 9
Vulnerability Type: remote code execution
Severity (1-10): 8
SUSE default package: yes
Cross References:
Content of this advisory:
1) security vulnerability resolved:
buffer overflow in RAM file handling
problem description
2) solution/workaround
3) special instructions and notes
4) package location and checksums
5) pending vulnerabilities, solutions, workarounds:
See SUSE Security Summary Report.
6) standard appendix (further information)
______________________________________________________________________________
1) problem description, brief discussion
This update fixes a security issue within the RealPlayer media player.
A remote attacker could craft a special .RAM (Real Audio Media) file
which would cause a buffer overflow when played within RealPlayer.
This is the Real Player Update as referenced on this page:
https://www.real.com/
2) solution/workaround
None, please install the updated packages.
3) special instructions and notes
Restart RealPlayer if running.
4) package location and checksums
Please download the update package for your distribution and verify its
integrity by the methods listed in section 3) of this announcement.
Then, install the package using the command "rpm -Fhv file.rpm" to apply
the update.
Our maintenance customers are being notified individually. The packages
are being offered to install from the maintenance web.
x86 Platform:
SUSE Linux 9.3:
b6ca6d5c87690fca385981ccf272ddf1
SUSE Linux 9.2:
7e87cb712e6f07b9bdefe4f2ea79d6d0
______________________________________________________________________________
5) Pending vulnerabilities in SUSE Distributions and Workarounds:
See SUSE Security Summary Report.
______________________________________________________________________________
6) standard appendix: authenticity verification, additional information
- Package authenticity verification:
SUSE update packages are available on many mirror ftp servers all over
the world. While this service is being considered valuable and important
to the free and open source software community, many users wish to be
sure about the origin of the package and its content before installing
the package. There are two verification methods that can be used
independently from each other to prove the authenticity of a downloaded
file or rpm package:
1) md5sums as provided in the (cryptographically signed) announcement.
2) using the internal gpg signatures of the rpm package.
1) execute the command
md5sum
References