RealNetworks RealPlayer and RealOne Player chunked Transfer-Encoding buffer overflow

realnetworks-chunked-transferencoding-bo (25409) The risk level is classified as HighHigh Risk

Description:

Multiple RealNetworks RealPlayer and RealOne Player versions are vulnerable to a heap-based buffer overflow, caused by improper handling of chunked Transfer-Encoded data. By creating a specially-crafted Web page containing embedded object tags that launch an affected version of RealPlayer or RealOne Player, a remote attacker could overflow a buffer and execute arbitrary code on the victim's system, if the victim could be persuaded to visit the malicious page.


Consequences:

Gain Access

Remedy:

Refer to the RealNetworks Customer Support - Real Security Updates Web page for upgrade information. See References.

For Red Hat Linux (Helixplayer):
Refer to RHSA-2005:788-3 for patch, upgrade, or suggested workaround information. See References.

For Red Hat Linux (Realplayer):
Refer to RHSA-2005:762-12 for patch, upgrade, or suggested workaround information. See References.

For SUSE Linux:
Refer to SUSE Security Announcement SUSE-SA:2006:018 for patch, upgrade, or suggested workaround information. See References.

For other distributions:
Contact your vendor for upgrade or patch information.

References:

  • iDEFENSE Security Advisory: 03.23.06: RealNetworks RealPlayer and Helix Player Invalid Chunk Size Heap Overflow Vulnerability.
  • Internet Security Systems Protection Alert 03/28/06: RealNetworks RealPlayer chunked Transfer-Encoding buffer overflow.
  • RealNetworks Customer Support - Real Security Updates Web page: RealNetworks Releases Product Updates - 03162006.
  • BID-17202: RealNetworks Multiple Products Multiple Buffer Overflow Vulnerabilities
  • CVE-2005-2922: Heap-based buffer overflow in the embedded player in multiple RealNetworks products and versions including RealPlayer 10.x, RealOne Player, and Helix Player allows remote malicious servers to cause a denial of service (crash) and possibly execute arbitrary code via a chunked Transfer-Encoding HTTP response in which either (1) the chunk header length is specified as -1, (2) the chunk header with a length that is less than the actual amount of sent data, or (3) a missing chunk header.
  • RHSA-2005-762: RealPlayer security update
  • RHSA-2005-788: HelixPlayer security update
  • SA19358: RealNetworks Products Multiple Buffer Overflow Vulnerabilities
  • SECTRACK ID: 1015808: RealPlayer Heap Overflow in Embedded Player May Let Remote Users Execute Arbitrary Code
  • SUSE-SA:2006:018: RealPlayer security problems
  • US-CERT VU#172489: RealNetworks products fail to properly handle chunked data

Platforms Affected:

  • Novell Linux Desktop 9
  • Real Helix Player 1.0.0
  • Real Helix Player 1.0.1 Gold
  • Real Helix Player 1.0.2 Gold
  • Real Helix Player 1.0.3 Gold
  • Real Helix Player 1.0.4 Gold
  • Real Helix Player 1.0.5 Gold
  • Real Helix Player 1.0.6 Gold
  • Real RealONE Player 1
  • Real RealONE Player 2
  • Real RealONE Player
  • Real RealONE Player for Mac OS X 9.0.0.288
  • Real RealONE Player for Mac OS X 9.0.0.297
  • Real RealPlayer 10.0
  • Real RealPlayer 10.5
  • Real RealPlayer 10.5_build_6.0.12.1040
  • Real RealPlayer 10.5_build_6.0.12.1053
  • Real RealPlayer 10.5_build_6.0.12.1056
  • Real RealPlayer 10.5_build_6.0.12.1059
  • Real RealPlayer 10.5_build_6.0.12.1069
  • Real RealPlayer 10.5_build_6.0.12.1235
  • Real RealPlayer 8.0 Win32
  • Real RealPlayer Enterprise
  • Real RealPlayer for Linux 10.0.1
  • Real RealPlayer for Linux 10.0.2
  • Real RealPlayer for Linux 10.0.3
  • Real RealPlayer for Linux 10.0.4
  • Real RealPlayer for Linux 10.0.5
  • Real RealPlayer for Linux 10.0.6
  • Real RealPlayer for Mac OS X 10_build_10.0.0.305
  • Real RealPlayer for Mac OS X 10_build_10.0.0.331
  • Real Rhapsody 3
  • Real Rhapsody 3_build_0.815
  • RedHat Enterprise Linux 4 WS
  • RedHat Enterprise Linux 4 AS
  • RedHat Enterprise Linux 4 Desktop
  • RedHat Enterprise Linux 4 ES
  • RedHat RHEL Extras 3
  • RedHat RHEL Extras 4
  • SUSE SuSE Linux 10.0
  • SUSE SuSE Linux 9.1
  • SUSE SuSE Linux 9.2
  • SUSE SuSE Linux 9.3

Reported:

Mar 22, 2006

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email ignore thisxforceignore this@ignore thisus.ignore thisibm.comignore this

Return to the main page