Bug 75907 (CVE-2005-0755)

Summary:	VUL-0: CVE-2005-0755: realplayer
Product:	[Novell Products] SUSE Security Incidents	Reporter:	Ludwig Nussel <lnussel>
Component:	Incidents	Assignee:	Stanislav Brabec <sbrabec>
Status:	RESOLVED FIXED	QA Contact:	Security Team bot <security-team>
Severity:	Normal
Priority:	P5 - None	CC:	aj, security-team
Version:	unspecified
Target Milestone:	---
Hardware:	Other
OS:	All
Whiteboard:	CVE-2005-0755: CVSS v2 Base Score: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)
Found By:	Other	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---
Attachments:	poc1.ram poc2.ram poc3.ram poc4.ram

Description Ludwig Nussel 2005-04-06 11:09:17 UTC

We received the following report via security@suse.de.
This issue is not public yet, please keep any information about it inside SUSE.

Date: Tue, 05 Apr 2005 14:29:55 -0700
From: Michael Maloney <mmaloney@real.com>
To: novell-private-dev <novell-private-dev@helixcommunity.org>,
	security@suse.de
Cc: marcus.kraft@suse.com
Subject: [security@suse.de] RealPlayer for Linux SS4 RC Candidate Available
	For Testing

*SUBJECT:* CONFIDENTIAL: RP10 Security Update Release (10.0.4)
*BODY:*

Attention Linux RealPlayer Distribution Partner. We have an RC build 
available for immediate download and testing. This release contains a 
fix for a security vulnerability that is scheduled for release to 
cooincide with an April 19th announcement of the vulnerability and 
patched build availability.

Release Name: *RealPlayer 10.0.4*
Partner acknowledgement by: *Apr 7*
Partner results expected by: *Apr 12*
Security Public Announcement/Builds go live: *Apr 19*

Partner RC Build Location:
https://helixcommunity.org/download.php/1111/RealPlayer-10.0.4-rc1.1-suse.i586.rpm.tar.bz2
https://helixcommunity.org/download.php/1112/RealPlayer-10.0.4-rc1.1-suse.src.rpm.tar.bz2

Partner Test Plan Location:
https://helixcommunity.org/docman/view.php/154/192/RealPlayer_Linux_SS4_smoketest.html
QA estimate for test plan: approximately 4 hours

Please download the build and run the RealPlayer Linux SS4 Testplan 
(condensed version) to verify integrity with you distribution. 
Coordinate test results and release scheduling with Michael Maloney at 
RealNetworks <mmaloney@real.com> <mailto:mmaloney@real.com>.

*Details of Vulnerability:*
The specific exploit was:
To fashion a malicious RAM file to cause a buffer overflow which could 
have allowed an attacker to execute arbitrary code on a customer's 
machine.  You can find the media for this exploit here. 
<https://tobor2.prognet.com/%7Evdendi/1112732307.77.28958/> Please use 
"security" (without quotes) as both username and password to retrieve 
the sample media within the next ten days.

Please treat this (including the dates) as confidential information due 
to the sensitive nature of the fix.
Do acknowledge this communication and send us your estimated test-plan 
completion dates by *EOD Thursday (Apr 7)*.

Thank you
QA Coordinator

Comment 1 Stanislav Brabec 2005-04-06 11:37:42 UTC

Should I first submit the package to Autobuild 9.2/9.3/STABLE? Or test team will
test it first?

Comment 2 Stanislav Brabec 2005-04-06 11:44:04 UTC

Adding Juergen Weigert to Cc:. He must approve version update because of crypto
regulations. I have approval only up to version 10.0.3 for SuSE Linux 9.3.

Now we need update to 10.0.4 for 9.2, 9.3 and NLD.

Comment 3 Juergen Weigert 2005-04-06 13:27:01 UTC

Export authorities alerted. 
I expect approval for 10.0.4 tonight.

Comment 4 Stanislav Brabec 2005-04-06 14:10:46 UTC

SuSE test builds are available at suse.de intranet: ~/sbrabec/RealPlayer.

Waiting for approval to submit updated packages to Autobuild.

Comment 5 Juergen Weigert 2005-04-06 15:16:48 UTC

Stano, go for it. 
Realplayer-10.0.4 has just received export approval.

Comment 6 Marcus Meissner 2005-04-06 15:50:47 UTC

Created attachment 33289 [details]
poc1.ram

Comment 7 Marcus Meissner 2005-04-06 15:51:39 UTC

Created attachment 33290 [details]
poc2.ram

Comment 8 Marcus Meissner 2005-04-06 15:52:23 UTC

Created attachment 33291 [details]
poc3.ram

Comment 9 Marcus Meissner 2005-04-06 15:54:03 UTC

Created attachment 33292 [details]
poc4.ram

Comment 10 Stanislav Brabec 2005-04-06 16:48:29 UTC

Packages submitted to Autobuild for sles9-sld-i386, stable-i386, 9.2-i386, 9.3-i386.

Test files are returning overscreen-wide info window with nonsenses and warning
in console:

sbrabec@hammer:~/STABLE/SECURITY> realplay poc1.ram

(realplay.bin:23329): Pango-WARNING **: Invalid UTF-8 string passed to
pango_layout_set_text()
sbrabec@hammer:~/STABLE/SECURITY> realplay poc2.ram

(realplay.bin:23346): Pango-WARNING **: Invalid UTF-8 string passed to
pango_layout_set_text()
sbrabec@hammer:~/STABLE/SECURITY> realplay poc3.ram

(realplay.bin:23363): Pango-WARNING **: Invalid UTF-8 string passed to
pango_layout_set_text()
sbrabec@hammer:~/STABLE/SECURITY> realplay poc4.ram

(realplay.bin:23380): Pango-WARNING **: Invalid UTF-8 string passed to
pango_layout_set_text()

Comment 11 Marcus Meissner 2005-04-07 09:24:58 UTC

could you see crashes before the update?

Comment 12 Stanislav Brabec 2005-04-07 13:48:57 UTC

Yes, 10.0.3 from 9.3 crashes:

sbrabec@hammer:~/STABLE/SECURITY> realplay poc1.ram
*** glibc detected *** malloc(): memory corruption: 0x08379950 ***
/usr/bin/realplay: line 75: 26266 Aborted                 $REALPLAYBIN "$@"
sbrabec@hammer:~/STABLE/SECURITY> realplay poc2.ram
*** glibc detected *** malloc(): memory corruption: 0x08378498 ***
/usr/bin/realplay: line 75: 26278 Aborted                 $REALPLAYBIN "$@"
sbrabec@hammer:~/STABLE/SECURITY> realplay poc3.ram
*** glibc detected *** malloc(): memory corruption: 0x083c8d80 ***
/usr/bin/realplay: line 75: 26293 Aborted                 $REALPLAYBIN "$@"
sbrabec@hammer:~/STABLE/SECURITY> realplay poc4.ram
*** glibc detected *** malloc(): memory corruption: 0x0837eed8 ***
/usr/bin/realplay: line 75: 26305 Aborted                 $REALPLAYBIN "$@"

Comment 13 Marcus Meissner 2005-04-08 10:58:05 UTC

Thanks. I will do the patchinfos. 
 
swampid: 869

Comment 14 Marcus Meissner 2005-04-08 11:02:38 UTC

patchinfos submitted to done/PATCHINFO

Comment 15 Marcus Meissner 2005-04-20 06:25:35 UTC

http://service.real.com/help/faq/security/050419_player/EN/ 
 
... updated packages approved.

Comment 16 Marcus Meissner 2005-04-20 07:31:37 UTC

advisoriues released.

Comment 17 Ludwig Nussel 2005-04-21 09:11:04 UTC

CAN-2005-0755

Comment 18 Thomas Biege 2009-10-13 21:16:19 UTC

CVE-2005-0755: CVSS v2 Base Score: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)