eEye Digital Security has reported two vulnerabilities in RealPlayer, RealOne, and HelixPlayer, which can be exploited by malicious people to compromise a user's system.

1) A signedness error exists when handling the first data packet in a Real Media ".rm" file. This can be exploited to cause a stack-based buffer overflow via a specially crafted ".rm" file that contains values between 0x80 and 0xFF in the application-specific length field.

Successful exploitation allows arbitrary code execution.

The vulnerability has been reported in the following versions:
* RealPlayer 10.5 (6.0.12.1040-1235) (Windows)
* RealPlayer 10 (Windows)
* RealOne Player v1 (Windows)
* RealOne Player v2 (Windows)
* RealPlayer 8 (Windows)
* RealPlayer Enterprise versions 1.1, 1.2, 1.5, 1.6 and 1.7 (Windows)
* RealPlayer 10 (10.0.0.305 - 331) (Mac)
* RealPlayer 10 (10.0.0 - 10.0.5) (Linux)
* Helix Player (10.0.0 - 10.0.5) (Linux)

2) A boundary error exists when extracting a RealPlayer skin ".rjs" file. This can be exploited to cause a heap-based buffer overflow in DUNZIP32.DLL via a malicious ".rjs" file with a specially-crafted file length field.

The vulnerability has been reported in following versions:
* RealPlayer 10.5 (6.0.12.1040-1235) (Windows)
* RealPlayer 10 (Windows)
* RealOne Player v1 (Windows)
* RealOne Player v2 (Windows)
* RealPlayer 8 (Windows)

Solution
Update to the fixed versions:
Further details available in Customer Area

Provided and/or discovered by
1) Karl Lynn, eEye Digital Security.
2) Fang Xing, eEye Digital Security.

The vendor also credits John Heasman of NGS Software.

Changelog
Further details available in Customer Area

Original Advisory
RealNetworks:
http://service.real.com/help/faq/security/051110_player/EN/
http://service.real.com/help/faq/security/security111005.html

eEye Digital Security:
http://www.eeye.com/html/research/advisories/AD20051110a.html
http://www.eeye.com/html/research/advisories/AD20051110b.html

Deep Links
Links available in Customer Area