Firefox is supporting old versions of Real player plug-in



4 years ago
3 years ago


(Reporter: devand27, Assigned: espressive)




(1 attachment)



4 years ago
Created attachment 8503731 [details]
Untitled 3.png

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.101 Safari/537.36

Actual results:

Firefox is supporting old version of Real player plug-in which allows remote code execution.

Please find the security vulnerability details:-

Chandra Mohan

Expected results:

Firefox should not support old versions of Real player plug-in.
Group: core-security → websites-security
Component: Untriaged → General
Product: Firefox → Plugin Check
Version: 35 Branch → unspecified


4 years ago
Assignee: nobody → schalk.neethling.bugs
Component: General → Whistler
Priority: -- → P1

Comment 1

4 years ago
So, in the database we currently have:

(2) RealJukebox NS Plugin
(1) RealNetworks(tm) Chrome Background Extension Plug-In (32-bit)
(3) RealPlayer
(2) RealPlayer Version Plugin
(1) RealPlayer(tm) HTML5VideoShim Plug-In (32-bit)

Looking at each though, they all have the same version set as the latest aka so, I am not sure why we need to track 5 different 'forms' of the plugin. Carsten? I assume historic reasons.

I will update all 5 with the information provided above but, I will need to figure out if there is any reason to track all those individually.

Thanks for reporting this.
Flags: needinfo?(cbook)

Comment 2

4 years ago
The production database has been updated. Now I just need to figure out whether we actually need those five different product entries but, that is a separate bug.
Last Resolved: 4 years ago
Resolution: --- → FIXED
(In reply to Schalk Neethling [:espressive] from comment #1)
 Carsten? I assume historic reasons.

yep exactly but i guess we can drop outdated/old stuff now
Flags: needinfo?(cbook)

Comment 4

4 years ago
Do we have Firefox plugin blocks for these versions of realplayer? This got moved to plugincheck, but since plugincheck and the AMO blocklist are separate we need to make sure that we update both of them.

Also, Schalk since this shipped can we remove the security flag?
Flags: needinfo?(schalk.neethling.bugs)
Flags: needinfo?(jorge)

Comment 5

4 years ago
:bsmedberg, I reckon we can. I do not seem to have the needed rights to remove the flag though, so feel free to remove it if you are able. Thanks!
Flags: needinfo?(schalk.neethling.bugs)
There are no blocks for the Real Player plugin. To create a blocklist bug I'll need version and platform details.
Flags: needinfo?(jorge)
Group: websites-security

Comment 7

4 years ago
Jorge, do you need more details than the realplayer security bulletins from comment 0?
Flags: needinfo?(jorge)
Depends on: 1222130
Sorry for the delay, I filed bug 1222130 to deal with the block.
Flags: needinfo?(jorge)
You need to log in before you can comment on or make changes to this bug.