Closed Bug 1081644 Opened 8 years ago Closed 8 years ago

Firefox is supporting old versions of Real player plug-in

Categories

(Plugin Check :: Whistler, defect, P1)

x86_64
Windows 7
defect

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: devand27, Assigned: espressive)

References

Details

Attachments

(1 file)

Attached image Untitled 3.png
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.101 Safari/537.36



Actual results:

Firefox is supporting old version of Real player plug-in which allows remote code execution.

Please find the security vulnerability details:- 

http://service.real.com/realplayer/security/12202013_player/en/
http://service.real.com/realplayer/security/06272014_player/en/

Thanks
Chandra Mohan





Expected results:

Firefox should not support old versions of Real player plug-in.
Group: core-security → websites-security
Component: Untriaged → General
Product: Firefox → Plugin Check
Version: 35 Branch → unspecified
Assignee: nobody → schalk.neethling.bugs
Component: General → Whistler
Priority: -- → P1
So, in the database we currently have:

(2) RealJukebox NS Plugin
(1) RealNetworks(tm) Chrome Background Extension Plug-In (32-bit)
(3) RealPlayer
(2) RealPlayer Version Plugin
(1) RealPlayer(tm) HTML5VideoShim Plug-In (32-bit)

Looking at each though, they all have the same version set as the latest aka 15.0.2.72 so, I am not sure why we need to track 5 different 'forms' of the plugin. Carsten? I assume historic reasons.

I will update all 5 with the information provided above but, I will need to figure out if there is any reason to track all those individually.

Thanks for reporting this.
Flags: needinfo?(cbook)
The production database has been updated. Now I just need to figure out whether we actually need those five different product entries but, that is a separate bug.
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
(In reply to Schalk Neethling [:espressive] from comment #1)
 Carsten? I assume historic reasons.

yep exactly but i guess we can drop outdated/old stuff now
Flags: needinfo?(cbook)
Do we have Firefox plugin blocks for these versions of realplayer? This got moved to plugincheck, but since plugincheck and the AMO blocklist are separate we need to make sure that we update both of them.

Also, Schalk since this shipped can we remove the security flag?
Flags: needinfo?(schalk.neethling.bugs)
Flags: needinfo?(jorge)
:bsmedberg, I reckon we can. I do not seem to have the needed rights to remove the flag though, so feel free to remove it if you are able. Thanks!
Flags: needinfo?(schalk.neethling.bugs)
There are no blocks for the Real Player plugin. To create a blocklist bug I'll need version and platform details.
Flags: needinfo?(jorge)
Group: websites-security
Jorge, do you need more details than the realplayer security bulletins from comment 0?
Flags: needinfo?(jorge)
Sorry for the delay, I filed bug 1222130 to deal with the block.
Flags: needinfo?(jorge)
You need to log in before you can comment on or make changes to this bug.