-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2013.0105
  RealNetworks, Inc. Releases Update to Address Security Vulnerabilities.
                              27 August 2013

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              RealNetworks RealPlayer
Operating System:     Windows
                      OS X
Impact/Access:        Execute Arbitrary Code/Commands -- Remote with User Interaction
                      Denial of Service               -- Remote with User Interaction
Resolution:           Patch/Upgrade
CVE Names:            CVE-2013-4974 CVE-2013-4973 
Member content until: Thursday, September 26 2013

OVERVIEW

        Vulnerabilities have been identified in Windows RealPlayer prior to
        version 16.0.3.51 and Mac RealPlayer prior to 12.0.1.1738. [1]


IMPACT

        The vendor has provided the following description regarding these
        issues:
        
        "CVE-2013-4973
        RealPlayer - Stack buffer overflow in Player when handling filenames 
        in RMP
        Affected software: Windows RealPlayer 16.0.2.32 and prior.
        Credit to hamburgers maccoy for reporting this issue.
        
        CVE-2013-4974
        RealPlayer - RM Memory corruption vulnerability when parsing a 
        malformed RealMedia file
        Affected software: Windows RealPlayer 16.0.2.32 and prior.
        Credit to Jeremy Brown of Microsoft and MSVR for reporting this 
        issue." [1]


MITIGATION

        The vendor recommends updating to the latest version of RealPlayer to 
        correct these issues. [1]


REFERENCES

        [1] RealNetworks, Inc. Releases Update to Address Security
            Vulnerabilities.
            http://service.real.com/realplayer/security/08232013_player/en/

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUhweRxLndAQH1ShLAQLRHQ//cW6aO86tt0Ytj1LsvaHRl+NNNrFNDQqp
Bx2PTPmN88TVBidFqenGgX5bg5TMMxa8Kd9uRB00A2GeeoRU7KNzge8Jrihj5Pe0
3t/a0hJWxWYjxSlDZeDDRnSZRcZnpCKiGVhDak8aB+pKmEKWkqzZVIcu8ve1ecma
NcJo6o/ffb4BEsD/YQNLxoDl15efM3SM/I2Dgl3HhRHmT/galYttXUiH/SNMcnVX
JNMFrn89oyWpQzXKoDIs/DoZccsGU/VNpCioYjMBSKgD/Na3OrQw62LgN2kZJ3dG
x/F6gy8XAYqko7fyv7LAS4Dg5xwfUi9ppqXLkdjzWig5bti7S8xc91RFU6IRwFgZ
W9A5/HnCj23AKiBt5VlcTIW0bnLSdfZ6RLxAJzPoJh5HMZYLRlKd+9aOKNDM/fUb
ZKruz9SDEMLbaLWj+h/VA8U+i1UcjTa7dmzvbAD5gZmeyi543wRR2JnwOzmNUAyK
LSCJPctrvu/MKOQRxP9kn8MnI9vlT9LoBbZGm4mBEjyrxQ5Wr455NhXu9pcYo4i0
XzNq7nSlPPwrzQDjucKmGQNDBERhlCAcW9FH3tcM1hNMmyVkUTC5iOuhkc0O2pZS
3REV0VBXBEvQSkbF+nFuxE0i7g7uKNE6nEg6urlF09gKsa55fjWfX2IscsN1Omnn
Ifk+GRz6UFw=
=7uPu
-----END PGP SIGNATURE-----