RHEL 4 : HelixPlayer (RHSA-2010:0094)

This script is Copyright (C) 2010-2014 Tenable Network Security, Inc.


Synopsis :

The remote Red Hat host is missing a security update.

Description :

An updated HelixPlayer package that fixes several security issues is
now available for Red Hat Enterprise Linux 4.

This update has been rated as having critical security impact by the
Red Hat Security Response Team.

HelixPlayer is a media player.

Multiple buffer and integer overflow flaws were found in the way
HelixPlayer processed Graphics Interchange Format (GIF) files. An
attacker could create a specially crafted GIF file which would cause
HelixPlayer to crash or, potentially, execute arbitrary code when
opened. (CVE-2009-4242, CVE-2009-4245)

A buffer overflow flaw was found in the way HelixPlayer processed
Synchronized Multimedia Integration Language (SMIL) files. An attacker
could create a specially crafted SMIL file which would cause
HelixPlayer to crash or, potentially, execute arbitrary code when
opened. (CVE-2009-4257)

A buffer overflow flaw was found in the way HelixPlayer handled the
Real Time Streaming Protocol (RTSP) SET_PARAMETER directive. A
malicious RTSP server could use this flaw to crash HelixPlayer or,
potentially, execute arbitrary code. (CVE-2009-4248)

Multiple buffer overflow flaws were discovered in the way HelixPlayer
handled RuleBook structures in media files and RTSP streams. Specially
crafted input could cause HelixPlayer to crash or, potentially,
execute arbitrary code. (CVE-2009-4247, CVE-2010-0417)

A buffer overflow flaw was found in the way HelixPlayer performed URL
un-escaping. A specially crafted URL string could cause HelixPlayer to
crash or, potentially, execute arbitrary code. (CVE-2010-0416)

All HelixPlayer users are advised to upgrade to this updated package,
which contains backported patches to resolve these issues. All running
instances of HelixPlayer must be restarted for this update to take
effect.

See also :

https://www.redhat.com/security/data/cve/CVE-2009-4242.html
https://www.redhat.com/security/data/cve/CVE-2009-4245.html
https://www.redhat.com/security/data/cve/CVE-2009-4247.html
https://www.redhat.com/security/data/cve/CVE-2009-4248.html
https://www.redhat.com/security/data/cve/CVE-2009-4257.html
https://www.redhat.com/security/data/cve/CVE-2010-0416.html
https://www.redhat.com/security/data/cve/CVE-2010-0417.html
http://rhn.redhat.com/errata/RHSA-2010-0094.html

Solution :

Update the affected HelixPlayer package.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 7.7
(CVSS2#E:F/RL:OF/RC:C)
Public Exploit Available : true

Family: Red Hat Local Security Checks

Nessus Plugin ID: 44430 ()

Bugtraq ID: 37880

CVE ID: CVE-2009-4242
CVE-2009-4245
CVE-2009-4247
CVE-2009-4248
CVE-2009-4257
CVE-2010-0416
CVE-2010-0417