-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
SUMMARY - ------- There is (apparently) a security vulnerability in realplayer. Little detail is given by Real, presumably this is exploitable remotely by an unscrupulous stream operator. The file to upgrade is /usr/lib/RealPlayer8/Plugins/rmffplin.so.6.0 Real has documented this on their site here: http://www.service.real.com/help/faq/security/bufferoverrun.html The new .so is available here: http://docs.real.com/docs/playerpatch/RP8_gold/rmffplin.so.6.0-linux-2.2-libc6-i386.gz DEBIAN-SPECIFIC - --------------- Because the 'realplayer' package does not actually contain anything substantial in it, rather it is an installer package -- frankly there's no entirely satisfactory solution. This is mainly due to their licensing, In correspondence, they have always indicated to me that they do not wish 3rd parties redistributing their software. I can only assume this applies to this security fix. Their legalese license seems to indicate as much. (/usr/share/doc/realplayer/LICENSE). Therefore, I cannot simply uuencode the new .so into the .deb, and install it in the postinst, or something similar. Complain to Real about this, there's not much I can do about it. Fortunately the fix is trivial. INSTRUCTIONS - ------------ To check if your current realplayer installation is vulnerable to this bug, check your current version of rmffplin.so.6.0 with md5sum. My old (vulnerable) version was.. (Yours may vary) 127bddd48a06673ec98a945b9c206a9e /usr/lib/RealPlayer8/Plugins/rmffplin.so.6.0 The new (fixed) version is.. 201de7b7acbc467846fc9cd11ff90266 /usr/lib/RealPlayer8/Plugins/rmffplin.so.6.0 You may download the new .so from realplayer's site here (for libc 2.2).. http://docs.real.com/docs/playerpatch/RP8_gold/rmffplin.so.6.0-linux-2.2-libc6-i386.gz e.g. Assuming you downloaded and gunzip'd the new .so to your home (~).. (exit realplayer if running) (become root) # rm -f /usr/lib/RealPlayer8/Plugins/rmffplin.so.6.0 # cp ~/rmffplin.so.6.0-linux-2.2-libc6-i386 /usr/lib/RealPlayer8/Plugins/rmffplin.so.6.0 # chmod 644 /usr/lib/RealPlayer8/Plugins/rmffplin.so.6.0 # chown root:root /usr/lib/RealPlayer8/Plugins/rmffplin.so.6.0 md5sum /usr/lib/RealPlayer8/Plugins/rmffplin.so.6.0 should display.. 201de7b7acbc467846fc9cd11ff90266 /usr/lib/RealPlayer8/Plugins/rmffplin.so.6.0 - Brian Russo P.S. Beware, when I last checked, the RPM (*cs2*) on Real's site, did not contain the updated rmffplin.so, so if you just installed you are probably not safe. Of course, as joeyh pointed out, due to Real's practices, they may silently update in future without warning. P.P.S My apologies for not bringing this to your attention sooner, I was only made aware of it recently by Nicolas Lidzborski <[EMAIL PROTECTED]>. Thanks Nicolas! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjxiiX8ACgkQIkODnFTYFmZT5ACeLInmyWZcv0AiESFZ2sNOF4dJ J5cAn0nBthWGbMXJWx79OFQqvm/NqnTC =MszO -----END PGP SIGNATURE-----
