[helix-maintainers] Bug#340270: helix-player: CVE-2005-2629,
CVE-2005-2630: Do these vulnerabilities affect Helix as well?
Noah Meyerhans
noahm at debian.org
Tue Nov 22 15:18:47 UTC 2005
On Tue, Nov 22, 2005 at 10:43:53AM +0100, Moritz Muehlenhoff wrote:
> There's been an eeye advisory about several serious security problems in
> Real Player: http://www.eeye.com/html/research/advisories/AD20051110b.html
>
> According to some other security web sites Helix player might be affected
> as well: http://www.frsirt.com/english/advisories/2005/2385
>
> As some Real Player vulnerabilities in the past affected Helix as well
> this could be correct, can you confirm it?
<sigh> More vulnerabilities so soon? Yes, these problems almost
certainly affect sarge. Our helix-player package received an update for
multiple vulnerabilities less than 2 months ago... And now more. It's
not particularly comforting.
According to http://service.real.com/help/faq/security/051110_player/EN/
helix-player is not vulnerable to the "malicious skin" problems, but
only to the stack overrun via malicious RealMedia file". This bug is
allegedly fixed in 1.0.6.
I can examine the diff between 1.0.5 and 1.0.6 and try to isolate the
changes relative to the security problem. Or, if the maintainer (or
anybody else) could do it sooner, that would be appreciated. I'm not
sure if I'll have time today or not...
noah
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/helix-maintainers/attachments/20051122/d93ab359/attachment.pgp
More information about the helix-maintainers
mailing list