Security Advisory Critical: RealPlayer security update

Advisory: RHSA-2008:0812-13
Type: Security Advisory
Severity: Critical
Issued on: 2008-07-31
Last updated on: 2008-09-17
Affected Products: RHEL Desktop Supplementary (v. 5 client)
RHEL Supplementary (v. 5 server)
RHEL Supplementary EUS (v. 5.2.z server)
Red Hat Enterprise Linux Extras (v. 3)
Red Hat Enterprise Linux Extras (v. 4)
Red Hat Enterprise Linux Extras (v. 4.6.z)
CVEs (cve.mitre.org): CVE-2007-5400

Details

RealPlayer 10.0.9 as shipped in Red Hat Enterprise Linux 3 Extras, 4
Extras, and 5 Supplementary, contains a security flaw and should not be
used.

This update has been rated as having critical security impact by the Red
Hat Security Response Team.

[Updated 17 September 2008]
We have updated this erratum to include packages which remove RealPlayer
from Red Hat Enterprise Linux 3 Extras, 4 Extras and 5 Supplementary.

RealPlayer is a media player that provides media playback locally and via
streaming.

RealPlayer 10.0.9 is vulnerable to a critical security flaw and should no
longer be used. A remote attacker could leverage this flaw to execute
arbitrary code as the user running RealPlayer. (CVE-2007-5400)

This issue is addressed in RealPlayer 11. Red Hat is unable to ship
RealPlayer 11 due to additional proprietary codecs included in that
version. Therefore, users who wish to continue to use RealPlayer should get
an update directly from www.real.com.

This update removes the RealPlayer 10.0.9 packages due to their known
security vulnerabilities.


Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188

Updated packages

RHEL Desktop Supplementary (v. 5 client)

IA-32:
RealPlayer-uninstall-10.0.9-4.el5.i386.rpm     MD5: 4ac72fb645fd4ae06d7242603a22f53d
 
x86_64:
RealPlayer-uninstall-10.0.9-4.el5.i386.rpm     MD5: 4ac72fb645fd4ae06d7242603a22f53d
 
RHEL Supplementary (v. 5 server)

IA-32:
RealPlayer-uninstall-10.0.9-4.el5.i386.rpm     MD5: 4ac72fb645fd4ae06d7242603a22f53d
 
x86_64:
RealPlayer-uninstall-10.0.9-4.el5.i386.rpm     MD5: 4ac72fb645fd4ae06d7242603a22f53d
 
RHEL Supplementary EUS (v. 5.2.z server)

IA-32:
RealPlayer-uninstall-10.0.9-4.el5.i386.rpm     MD5: 4ac72fb645fd4ae06d7242603a22f53d
 
x86_64:
RealPlayer-uninstall-10.0.9-4.el5.i386.rpm     MD5: 4ac72fb645fd4ae06d7242603a22f53d
 
Red Hat Enterprise Linux Extras (v. 3)

IA-32:
realplayer-uninstall-10.0.9-0.rhel3.7.i386.rpm     MD5: 5553d1851033804b86c61a37ea46cd02
 
x86_64:
realplayer-uninstall-10.0.9-0.rhel3.7.i386.rpm     MD5: 5553d1851033804b86c61a37ea46cd02
 
Red Hat Enterprise Linux Extras (v. 4)

IA-32:
RealPlayer-uninstall-10.0.9-3.i386.rpm
File outdated by:  RHBA-2009:1003
    MD5: 21542b20a44d78877a5fe4564b2eb94f
 
x86_64:
RealPlayer-uninstall-10.0.9-3.i386.rpm
File outdated by:  RHBA-2009:1003
    MD5: 21542b20a44d78877a5fe4564b2eb94f
 
Red Hat Enterprise Linux Extras (v. 4.6.z)

IA-32:
RealPlayer-uninstall-10.0.9-3.i386.rpm     MD5: 21542b20a44d78877a5fe4564b2eb94f
 
x86_64:
RealPlayer-uninstall-10.0.9-3.i386.rpm     MD5: 21542b20a44d78877a5fe4564b2eb94f
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

456855 - CVE-2007-5400 RealPlayer: SWF Frame Handling Buffer Overflow


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/