[helix-maintainers] Bug#316276: helix-player several vulnerabilities

Daniel Baumann daniel.baumann at panthera-systems.net
Sun Sep 25 10:58:45 UTC 2005 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

I have an eye on helix-player since quite a long time. Unfortunately,
the maintainer is not very reactive. Since he didn't respond except
today, I originally wanted to do the security-update myself. Now, this
will be done by the original maintainer I guess/hope.

However.. to support you in your work, I wrote a proposal for the DSA
(Attached).

Regards,
Daniel

- --
Address:        Daniel Baumann, Burgunderstrasse 3, CH-4562 Biberist
Email:          daniel.baumann at panthera-systems.net
Internet:       http://people.panthera-systems.net/~daniel-baumann/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDNoLl+C5cwEsrK54RAlx5AKCcSy5xWqTaxDMC2JdUD13R6awj9gCg15Lj
PBOvK694RagJHHoEqefatRY=
=xKKY
-----END PGP SIGNATURE-----
-------------- next part --------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - ------------------------------------------------------------------------
Debian Security Advisory Proposal                     Helix Player 1.0.5
http://www.daniel-baumann.ch/                             Daniel Baumann
September 25, 2005
- - ------------------------------------------------------------------------

Package        : helix-player
Vulnerability  : several
Problem-Type   : remote
Debian-specific: no
CVE ID         : CAN-2005-1766 CAN-2005-2052 CAN-2005-2054 CAN-2005-2055

Several vulnerabilities have been discovered in helix-player, a GTK2 based
media player written in C++. The Common Vulnerabilities and Exposures
project identifies the following problems:

CAN-2005-1766

	Piotr Bania discovered how to fashion a malicious RAM file to
	cause a buffer overflow which allowed an attacker to execute
	arbitrary code on a customer's machine.

CAN-2005-2052 CAN-2005-2054 CAN-2005-2055

	eEye Digital Security discovered how to fashion a malicious
	RealMedia file which uses RealText to cause a heap overflow to
	allow an attacker to execute arbitrary code on a customer's
	machine.

The old stable distribution (woody) does not contain helix-player
packages.

For the stable distribution (sarge) these problems have been fixed in
version 1.0.5-1sarge1.

For the unstable distribution (sid) these problems have been fixed in
version 1.0.5-1.

We recommend that you upgrade your helix-player package.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDNoKI+C5cwEsrK54RAhVRAKCUpHNMuM4mPZKjKFCL0FrO9iLvcACffUu4
ZUQg2rQQOQOCKNfhs5tA/XE=
=j6WA
-----END PGP SIGNATURE-----

More information about the helix-maintainers mailing list