Bugzilla – Bug 106048
VUL-0: CVE-2005-2629: buffer overflow in realplayer before 1.0.6
Last modified: 2021-11-04 16:31:44 UTC
note: disclosure 30.8.2005.
Standa has vacation the following two weeks. I can prepare the update. I would need some help because I do not know the details about our RealPlayer-related contracts. Do we have access to the fixed binaries already now? Or do I have to wait until 30 August when the fixed binaries are officialy available? Do we need to run the quick test plan on our platform? Who will run it (me, QA, anybody else)? Thanks for help, Petr
I just have this mail, nothing more for now. The mail seems to suggest we get them on August 30th. I also am not familar where the packages are, Stanislav did that. The testplan is run by one of our india colleagues.
CRD 15.9.2005
SWAMPID: 2211
patchinfos submitted.
Are the binaries for ppc available somewhere? Thanks for help.
approved binary packages we had so far.
I don't have informatoin about ppc binares.
*sigh* are we even allowed to release the previous update? Please prepare new packages in any case.
I will ask for new builds.
Note that the *bleep* date *changed* three times. Even silently from 15th to 19th of September.
From: Donya Shirzad <dshirzad@real.com> To: Stanislav Brabec <sbrabec@suse.cz>, Donya Shirzad <dshirzad@real.com> Cc: novell-private-dev <novell-private-dev@helixcommunity.org> Subject: Re: [Novell-private-dev] Another (optional) Security Update of RealPlayer Date: Fri, 09 Sep 2005 11:09:43 -0700 (20:09 CEST) At 03:36 PM 9/9/2005 +0200, Stanislav Brabec wrote: >Hallo. We decided to do this update. Could you provide URL, where I can >download new builds? We'll be putting the updated build in the novell-private project at the end of next week. I'll send out another email with the required URLs. Thanks, - Donya
For 10.0, I will add fix for bug 117078 altogether with this security update.
current CRD: 18.10.2005
Packages submitted for: 9.2-i386, 9.3-i386, sles9-sld-i386: Fix for this bug only. 10.0-i386, STABLE-i386: With aoss preloader. Please follow bug 117078 for test plan. I don't have PPC builds yet.
we will wait with checkin until the day of disclosure nears. there was also a mail on full-disclosure probably reporting some of the problems here already to the public.
*** Bug 119017 has been marked as a duplicate of this bug. ***
stanislav, we need the indian test guy to run the testsuite ... do you still have his name / address?
There are addresses from test report from April: Thanikachalam S <sthanikachalam@novell.com> Rajasekhar Inguva <RInguva@novell.com> Please note them about special need to test 10.0 with aoss (please follow bug 117078 for more). And please don't close the bug until PPC gets fixed.
I just sent off a query mail to the indian testengineers.
Where's the 10.0-ppc version?
I have just asked for PPC binaries again.
We are not shipping RealPlayer PPC binaries, so this must not block the checkin. Please checkin the i386 packages ASAP.
we released the CAN-2005-2710 part and announce it. The CAN-2005-2629 part (buffer overflow) is NOT PUBLIC yet. (perhaps oct 18, unclear)
stanislav ... do you know if we released the bugfix for the other problem in here with the last update too? or if we need to do a full update again?
I have only replaced old tarball of 10.0.6 with newer one. I guess that no fix was removed from newer tarball.
CVE-2005-2629 is public now
ok, i guess we can close it. we released it earlier, unannounced. i will put a note into our summary advisory this week.
Fixed package submitted to STABLE.
CVE-2005-2629: CVSS v2 Base Score: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)