re: Real player resource exhaustion Vulnerability

From: security curmudgeon <jericho@attrition.org>
To: akshay.vaghela@cyberoam.com
Cc: bugtraq@securityfocus.com
Subject: re: Real player resource exhaustion Vulnerability
Date:



: Real player resource exhaustion Vulnerability

: Real Networks Real Player is prone to Resource exhaustion vulnerability. 
: When processing specially crafted HTML file, Real Player uses a value 
: from the file to control a loop operation. Real player fails to validate 
: the value before using it, which leads to DoS / Crash.

: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C/E:F/RL:U/RC:C)

You should probably re-read the CVSSv2 guide. A context-dependent DoS does 
not warrant C:C or I:C.

AV:N/AC:M/Au:N/C:N/I:N/A:C  <- at most, if you score based on the idea of 
an "IT asset" being software. The CVSSv2 specs are a bit inconsistent in 
wording, so some people use this as a guideline.

AV:N/AC:M/Au:N/C:N/I:N/A:P  <- if you score based on the strict 
intention of the CVSSv2 spec, where you score based on *system* impact.

: 2013-00-00: Vendor Fix/Patch
: 2013-06-04: Public Disclosure

When was the fix released?

Where was this disclosed on 2013-06-04, since you posted this to Bugtraq 
on 2013-07-02??







Copyright © 1995-2019 LinuxRocket.net. All rights reserved.