Bugtraq mailing list archives
re: Real player resource exhaustion Vulnerability
From: security curmudgeon <jericho () attrition org>
Date: Wed, 3 Jul 2013 13:33:53 -0500 (CDT)
: Real player resource exhaustion Vulnerability: Real Networks Real Player is prone to Resource exhaustion vulnerability. : When processing specially crafted HTML file, Real Player uses a value : from the file to control a loop operation. Real player fails to validate : the value before using it, which leads to DoS / Crash.
: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C/E:F/RL:U/RC:C)You should probably re-read the CVSSv2 guide. A context-dependent DoS does not warrant C:C or I:C.
AV:N/AC:M/Au:N/C:N/I:N/A:C <- at most, if you score based on the idea of an "IT asset" being software. The CVSSv2 specs are a bit inconsistent in wording, so some people use this as a guideline.
AV:N/AC:M/Au:N/C:N/I:N/A:P <- if you score based on the strict intention of the CVSSv2 spec, where you score based on *system* impact.
: 2013-00-00: Vendor Fix/Patch : 2013-06-04: Public Disclosure When was the fix released?Where was this disclosed on 2013-06-04, since you posted this to Bugtraq on 2013-07-02??
Current thread:
- Real player resource exhaustion Vulnerability akshay . vaghela (Jul 02)
- <Possible follow-ups>
- re: Real player resource exhaustion Vulnerability security curmudgeon (Jul 03)
- Re: re: Real player resource exhaustion Vulnerability akshay . vaghela (Jul 09)
- Re: re: Real player resource exhaustion Vulnerability Henri Salo (Jul 09)