Bug 88491 (CVE-2005-1766)

not public! 
 
 
 
SWAMPID: 1500 

Should I first repackage the RPM or test team will verify helixcommunity builds?

i think the indian test engineer is in CC list ... can you please comment? 

I am not able to access the rpm tarball provided in the link above. I already
have an account in helixcommunity.org and AFAIR I have been granted the
permissions but still I am not able to proceed with the download.

stanislav? are you able to access them? 

Yes, I can. I have downloaded the file and will prepare the package.

To access the file, you have to create an account and then ask people from Real
for access to reserved area.

Is there any private place, where can I put the package for our test team?

Stanislav: Is this version of Realplayer (containing the fix for this bug)
already bundled with the RC2 build of NLD 9 SP2 ? If yes, then we have received
the build today and I will test the realplayer for this fix. If No, then can you
please put the rpm somewhere ? I can send you the ip and login credentials (in
an email) for my machine where you can copy the package.

It is in ~sbrabec.

This is a build from STABLE, but the difference between SuSE versions is really
minimal - binaries are exactly the same, only GNOME/KDE integration stuff has
very minor differences (e. g. InitialPreference in desktop file).

Should I submit it to Autobuild?

yes, please submit. 
 
we will create patchinfos + swamp 

submitted patchinfos. 

Packages submitted for i386 on 9.2, 9.3, SLES9-SLD and STABLE.

No update for older distric and PPC available.

Reassigning.

From: Ryan Gammon <rgammon@real.com> 
 
This is issue CAN-2005-1766 

its waiting for qa approval on our side due to comments on the KDE integration  
in  https://bugzilla.novell.com/show_bug.cgi?id=93477 

http://service.real.com/help/faq/security/050623_player/EN/ 
 
The specific exploits were:  
Exploit 1: To fashion a malicious MP3 file to allow the overwriting of a local 
file or execution of an ActiveX control on a customer's machine.  
 
Exploit 2: To fashion a malicious RealMedia file which uses RealText to cause 
a heap overflow to allow an attacker to execute arbitrary code on a customer's 
machine.  
 
Exploit 3: To fashion a malicious AVI file to cause a buffer overflow to allow 
an attacker to execute arbitrary code on a customer's machine.  
 
Exploit 4: Using default settings of earlier Internet Explorer browsers, a 
malicious website could cause a local HTML file to be created and then trigger 
an RM file to play which would then reference this local HTML file. 

From: iDEFENSE Labs <labs-no-reply@idefense.com> 
 
RealNetworks RealPlayer RealText Parsing Heap Overflow Vulnerability 
 
iDEFENSE Security Advisory 06.23.05 
www.idefense.com/application/poi/display?id=250&type=vulnerabilities 
June 23, 2005 
 
I. BACKGROUND 
 
RealPlayer is an application for playing various media formats, 
developed by RealNetworks Inc. For more information, visit 
http://www.real.com/. 
 
II. DESCRIPTION 
 
Remote exploitation of a heap-based buffer overflow vulnerability in the 
 
RealText file format parser within various versions of RealNetworks   
Inc.'s RealPlayer could allow attackers to execute arbitrary code.   
 
The vulnerability specifically exists because of a string copying 
operating into a fixed size heap buffer using the sprintf function. The 
following function from /datatype/text/realtext/fileformat/rtffplin.cpp  
is the offending code: 
 
STDMETHODIMP CRealTextFileFormat::ReadDone() 
[...] 
                 if (pErrorMessages) 
                 { 
                    const char* pFilename = "[rt file]"; 
                    if(m_pFileObject) 
                    { 
                         m_pFileObject->GetFilename(pFilename); 
                    } 
                    char* pTmp; 
                    pTmp = new char[256]; 
                    sprintf(pTmp,  /* Flawfinder: ignore */ 
 
                     "Version in \"%s\" is not recognized installed" 
 
                     " RealText file format",pFilename); 
                    pErrorMessages->Report(HXLOG_ERR, 
                                      HXR_INVALID_VERSION, 
                                      0, (const char*) pTmp, NULL); 
                    HX_RELEASE(pErrorMessages); 
                    delete [] pTmp; 
                 } 
[...] 
 
The variable pTmp points to 256 bytes of space on the heap. pFilename is 
 
a string pointer that points to data supplied in the RealText stream. 
When the sprintf is executed, the data is copied into the 256 byte heap 
buffer without any length checking, thus allowing a heap overflow to 
occur. Once the heap is overflown, an attacker can eventually write to 
arbitrary locations in memory, allowing for the execution of arbitrary 
code. 
 
III. ANALYSIS 
 
Exploitation allows for arbitrary code execution as the user who opened 
the RealMedia file. 
 
Exploitation requires an attacker to craft a malicious RealMedia file 
that uses RealText and convince a user to open it. An attacker could 
also force a web browser to refresh and automatically load the RealMedia 
 
file from a normal web page under the attacker's control. In default    
installations of RealPlayer under Windows XP, Internet Explorer will not 
 
prompt the user for an action when encountering most RealMedia files. It 
 
will open the file without delay, thus providing an effective method of 
exploitation. 
 
IV. DETECTION 
 
iDEFENSE Labs has confirmed that RealNetworks' RealPlayer 10.5 
6.0.12.1056 on Windows and RealPlayer 10 and 10.0.1.436 on Linux are 
vulnerable. It is suspected that previous versions of RealPlayer are 
also vulnerable. It is also suspected that RealOne player is vulnerable. 
 
V. WORKAROUND 
 
Although there is no way to completely protect yourself from this    
vulnerability, aside from removing the RealPlayer software, the 
following actions may be taken to minimize risk for automated 
exploitation. 
 
Disable ActiveX controls and plugins, if not necessary for daily    
operations, using the following steps: 
 
1. In IE, click on Tools and select Internet Options from the drop-down 
   menu. 
2. Click the Security tab and the Custom Level button. 
3. Under ActiveX Controls and Plugins, then Run Activex Controls and 
   Plugins, click the Disable radio button. 
 
VI. VENDOR RESPONSE 
 
The vendor has addressed this issue in the following security advisory: 
 
   http://service.real.com/help/faq/security/050623_player/EN/ 
 
VII. CVE INFORMATION 
 
The Common Vulnerabilities and Exposures (CVE) project has assigned the 
name CAN-2005-1277 to this issue. This is a candidate for inclusion in 
the CVE list (http://cve.mitre.org), which standardizes names for 
security problems. 
 
VIII. DISCLOSURE TIMELINE 
 
04/26/2005  Initial vendor notification 
04/26/2005  Initial vendor response 
06/23/2005  Coordinated public disclosure 
 
IX. CREDIT 
 
The discoverer of this vulnerability wishes to remain anonymous. 
 
Get paid for vulnerability research 
http://www.idefense.com/poi/teams/vcp.jsp 
 
Free tools, research and upcoming events 
http://labs.idefense.com 
 
 

updates released  

CVE-2005-1766: CVSS v2 Base Score: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)