|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
[sec-adv] RealPlayer/RealOne PNG Deflate Heap Overflow
From: Secunia Security Advisories (sec-adv
secunia.com)
Date: Sat Mar 29 2003 - 06:31:33 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
TITLE:
RealPlayer/RealOne PNG Deflate Heap Overflow
READ ONLINE:
http://www.secunia.com/advisories/8445/
CRITICAL:
Moderately critical
IMPACT:
System access
WHERE:
From remote
SOFTWARE:
RealPlayer 8
RealOne Player
DESCRIPTION:
A vulnerability has been identified in RealPlayer and RealOne, which
can be exploited by malicious people to compromise a user's system.
The vulnerability is caused by a boundary error in the code handling
decompression of PNG graphic files. According to RFC 1951, the values
"286" and "287" do not represent valid length codes in compressed
blocks and should therefore not be present in these. If
RealPlayer/RealOne encounters one of these codes in a specially
crafted compressed block, it erroneously assumes a length of 2^32
bytes (4 GB), which will overwrite the allocated buffer and corrupt
the memory.
A malicious person can exploit the vulnerability by constructing a
specially crafted PNG file, which can cause a heap overflow on a
user's system when opened. This can potentially result in execution
of arbitrary code with the user's privileges.
The following versions have been confirmed vulnerable:
* RealOne Player v2 (Win32) [versions: 6.0.11.818, 6.0.11.818,
6.0.11.830, 6.0.11.841, 6.0.11.853]
* RealOne Player v1 (Win32) [version: 6.0.10.505]
* RealOne Player for OS X [version: 9.0.0.297, 9.0.0.288]
* RealPlayer 8/RealPlayer Plus 8 (Win32 & Mac OS 9) [version:
6.0.9.584 (Win32 & Mac OS 9)]
* RealOne Enterprise Desktop (Win32) [version: 6.0.11.774]
SOLUTION:
Apply security updates:
http://service.real.com/help/faq/security/securityupdate_march2003.html
REPORTED BY / CREDITS:
Juliano Rizzo, Agustin Azubel Friedman, Bruno Acselrad and Carlos
Sarraute from Core Security Technologies.
ORIGINAL ADVISORY:
http://www.coresecurity.com/common/showdoc.php?idx=311&idxseccion=10
----------------------------------------------------------------------
Secunia recommends that you verify all advisories you receive, by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
Contact details:
Web : http://www.secunia.com/
E-mail : supportsecunia.com
Tel : +44 (0) 20 7016 2693
Fax : +44 (0) 20 7637 0419
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
----------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]