Debian DSA-826-1 : helix-player - multiple vulnerabilities

medium Nessus Plugin ID 19795

Synopsis

The remote Debian host is missing a security-related update.

Description

Multiple security vulnerabilities have been identified in the helix-player media player that could allow an attacker to execute code on the victim's machine via specially crafted network resources.

- CAN-2005-1766 Buffer overflow in the RealText parser could allow remote code execution via a specially crafted RealMedia file with a long RealText string.

- CAN-2005-2710

Format string vulnerability in Real HelixPlayer and RealPlayer 10 allows remote attackers to execute arbitrary code via the image handle attribute in a RealPix (.rp) or RealText (.rt) file.

Solution

Upgrade the helix-player package.

For the stable distribution (sarge), these problems have been fixed in version 1.0.4-1sarge1

helix-player was distributed only on the i386 and powerpc architectures

See Also

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=316276

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=330364

http://www.debian.org/security/2005/dsa-826

Plugin Details

Severity: Medium

ID: 19795

File Name: debian_DSA-826.nasl

Version: 1.22

Type: local

Agent: unix

Published: 10/5/2005

Updated: 1/4/2021

Supported Sensors: Agentless Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.3

CVSS v2

Risk Factor: Medium

Base Score: 5.1

Vector: CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:helix-player, cpe:/o:debian:debian_linux:3.1

Required KB Items: Host/Debian/dpkg-l, Host/local_checks_enabled, Host/Debian/release

Patch Publication Date: 9/29/2005

Vulnerability Publication Date: 6/23/2005

Reference Information

CVE: CVE-2005-1766, CVE-2005-2710

DSA: 826