[helix-maintainers] Bug#340270: helix-player: CVE-2005-2629,
CVE-2005-2630: Do these vulnerabilities affect Helix as well?
Noah Meyerhans
noahm at debian.org
Tue Nov 22 20:56:45 UTC 2005
On Tue, Nov 22, 2005 at 10:18:47AM -0500, Noah Meyerhans wrote:
> According to http://service.real.com/help/faq/security/051110_player/EN/
> helix-player is not vulnerable to the "malicious skin" problems, but
> only to the stack overrun via malicious RealMedia file". This bug is
> allegedly fixed in 1.0.6.
>
> I can examine the diff between 1.0.5 and 1.0.6 and try to isolate the
> changes relative to the security problem. Or, if the maintainer (or
> anybody else) could do it sooner, that would be appreciated. I'm not
> sure if I'll have time today or not...
OK, I've had some time to look at 1.0.6, and I'm confused. The code
seems to be fixing a problem relating to http chunked encoding support.
None of the reports at
http://service.real.com/help/faq/security/051110_player/EN/ or
cve.mitre.org or http://www.frsirt.com/english/advisories/2005/2385
mention http chunked encoding at all...
More details would be helpful. It may be that I'm looking at the right
bug, and am just confused by the terminology being used.
There's also the somewhat ominous sounding
http://service.real.com/help/faq/security/security111605.html
noah
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/helix-maintainers/attachments/20051122/fe17da29/attachment.pgp
More information about the helix-maintainers
mailing list