|
|
|
|
| |
Credit:
The information has been provided by Alexander Gavrun.
The original article can be found at: http://www.zerodayinitiative.com/advisories/ZDI-12-051/
|
| |
Vulnerable Systems:
* RealPlayer
The specific flaw exists due to the application mishandling an error that occurs when parsing an RTSP SETUP request. When an error occurs, the application will free a pointer to a linked list due to the stream being closed. Following this, the application will then attempt to access the freed element whilst traversing the list. This can lead to a use-after-free condition and can lead to code execution under the context of the application.
Vendor Status:
RealNetworks has issued an update to correct this vulnerability.
Patch Availability:
http://service.real.com/realplayer/security/11182011_player/en/
CVE Information:
CVE-2011-4254
Disclosure Timeline:
2011-08-12 - Vulnerability reported to vendor
2012-03-22 - Coordinated public release of advisory
|
|
|
|
|
