-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi,
I have an eye on helix-player since quite a long time. Unfortunately, the maintainer is not very reactive. Since he didn't respond except today, I originally wanted to do the security-update myself. Now, this will be done by the original maintainer I guess/hope. However.. to support you in your work, I wrote a proposal for the DSA (Attached). Regards, Daniel - -- Address: Daniel Baumann, Burgunderstrasse 3, CH-4562 Biberist Email: [EMAIL PROTECTED] Internet: http://people.panthera-systems.net/~daniel-baumann/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDNoLl+C5cwEsrK54RAlx5AKCcSy5xWqTaxDMC2JdUD13R6awj9gCg15Lj PBOvK694RagJHHoEqefatRY= =xKKY -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - ------------------------------------------------------------------------ Debian Security Advisory Proposal Helix Player 1.0.5 http://www.daniel-baumann.ch/ Daniel Baumann September 25, 2005 - - ------------------------------------------------------------------------ Package : helix-player Vulnerability : several Problem-Type : remote Debian-specific: no CVE ID : CAN-2005-1766 CAN-2005-2052 CAN-2005-2054 CAN-2005-2055 Several vulnerabilities have been discovered in helix-player, a GTK2 based media player written in C++. The Common Vulnerabilities and Exposures project identifies the following problems: CAN-2005-1766 Piotr Bania discovered how to fashion a malicious RAM file to cause a buffer overflow which allowed an attacker to execute arbitrary code on a customer's machine. CAN-2005-2052 CAN-2005-2054 CAN-2005-2055 eEye Digital Security discovered how to fashion a malicious RealMedia file which uses RealText to cause a heap overflow to allow an attacker to execute arbitrary code on a customer's machine. The old stable distribution (woody) does not contain helix-player packages. For the stable distribution (sarge) these problems have been fixed in version 1.0.5-1sarge1. For the unstable distribution (sid) these problems have been fixed in version 1.0.5-1. We recommend that you upgrade your helix-player package. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDNoKI+C5cwEsrK54RAhVRAKCUpHNMuM4mPZKjKFCL0FrO9iLvcACffUu4 ZUQg2rQQOQOCKNfhs5tA/XE= =j6WA -----END PGP SIGNATURE-----