[helix-maintainers] Bug#316276: helix-player several vulnerabilities
Daniel Baumann
daniel.baumann at panthera-systems.net
Sun Sep 25 10:58:45 UTC 2005
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
I have an eye on helix-player since quite a long time. Unfortunately,
the maintainer is not very reactive. Since he didn't respond except
today, I originally wanted to do the security-update myself. Now, this
will be done by the original maintainer I guess/hope.
However.. to support you in your work, I wrote a proposal for the DSA
(Attached).
Regards,
Daniel
- --
Address: Daniel Baumann, Burgunderstrasse 3, CH-4562 Biberist
Email: daniel.baumann at panthera-systems.net
Internet: http://people.panthera-systems.net/~daniel-baumann/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFDNoLl+C5cwEsrK54RAlx5AKCcSy5xWqTaxDMC2JdUD13R6awj9gCg15Lj
PBOvK694RagJHHoEqefatRY=
=xKKY
-----END PGP SIGNATURE-----
-------------- next part --------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - ------------------------------------------------------------------------
Debian Security Advisory Proposal Helix Player 1.0.5
http://www.daniel-baumann.ch/ Daniel Baumann
September 25, 2005
- - ------------------------------------------------------------------------
Package : helix-player
Vulnerability : several
Problem-Type : remote
Debian-specific: no
CVE ID : CAN-2005-1766 CAN-2005-2052 CAN-2005-2054 CAN-2005-2055
Several vulnerabilities have been discovered in helix-player, a GTK2 based
media player written in C++. The Common Vulnerabilities and Exposures
project identifies the following problems:
CAN-2005-1766
Piotr Bania discovered how to fashion a malicious RAM file to
cause a buffer overflow which allowed an attacker to execute
arbitrary code on a customer's machine.
CAN-2005-2052 CAN-2005-2054 CAN-2005-2055
eEye Digital Security discovered how to fashion a malicious
RealMedia file which uses RealText to cause a heap overflow to
allow an attacker to execute arbitrary code on a customer's
machine.
The old stable distribution (woody) does not contain helix-player
packages.
For the stable distribution (sarge) these problems have been fixed in
version 1.0.5-1sarge1.
For the unstable distribution (sid) these problems have been fixed in
version 1.0.5-1.
We recommend that you upgrade your helix-player package.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDNoKI+C5cwEsrK54RAhVRAKCUpHNMuM4mPZKjKFCL0FrO9iLvcACffUu4
ZUQg2rQQOQOCKNfhs5tA/XE=
=j6WA
-----END PGP SIGNATURE-----
More information about the helix-maintainers
mailing list