Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 52867

Summary: net-www/opera security fix in 7.51
Product: Gentoo Security Reporter: Boris <1723542c42148b2fe4af9f7ad1e382b30d4b7fd7>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: critical CC: amd64, lanius, mem7, ppc
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.opera.com/windows/changelogs/751/
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---
Attachments:
Description Flags
opera-7.51.ebuild.patch
none
opera-7.51.ebuild.spell.patch
none
opera-7.51.ebuild.patch (makes einfo depend on spell-flag) none

Description Boris 2004-06-03 04:06:25 UTC 
Fixes this security-issue: (taken from Changelog)
"Restricted image size in address bar, page bar and page/window cycler. This addresses issue reported in GreyMagic security advisory GM#007-OP: wide favicons could cover URL in the address line."

I made two patches, one that just bumps to the new version and one that also addes the spell-use-flag (see Bug #51183), so that aspell is not needed for opera.

Please note, that I added the variable OPERAFTPDIR to the ebuild, so it is much easier to change the SRC_URI in the future.

Reproducible: Always
Steps to Reproduce:
1.
2.
3.
Comment 1 Boris 2004-06-03 04:07:03 UTC 
Created attachment 32579 [details, diff]
opera-7.51.ebuild.patch
Comment 2 Boris 2004-06-03 04:08:18 UTC 
Created attachment 32580 [details, diff]
opera-7.51.ebuild.spell.patch
Comment 3 Heinrich Wendel (RETIRED) gentoo-dev 2004-06-03 05:25:07 UTC 
added and marked stable on x86
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2004-06-03 06:41:44 UTC 
sparc, please mark stable.
Comment 5 Boris 2004-06-03 07:09:00 UTC 
Created attachment 32584 [details, diff]
opera-7.51.ebuild.patch (makes einfo depend on spell-flag)

I forgot to remove the einfo-message for users that do not install
spell-support.

I changed that in this patch.
Comment 6 Jason Wever (RETIRED) gentoo-dev 2004-06-04 05:01:35 UTC 
Stable on sparc.
Comment 7 Thierry Carrez (RETIRED) gentoo-dev 2004-06-04 14:50:09 UTC 
Not sure this is GLSA worth... security, please vote
Comment 8 Dan Margolis (RETIRED) gentoo-dev 2004-06-04 17:02:41 UTC 
I vote no on a GLSA. There's no threat to the user's system; the phishing threat is probably not even that great given our audience (of hopefully-sensible users). Regardless, there's no *direct* threat here to systems running the vulnerable version and I haven't seen anyone else release advisories. Opera is probably not used by more than 5% of our users (anyone care to correct me?  I know I hate the banner ads) and so the chance of ``exploitation'' is minimal.
Comment 9 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-06-04 22:31:58 UTC 
I second Krispykringle no need for a GLSA. There is no direct threat and the issue is really minor. Remove the old vulnerable ebuilds and be done with it.
Comment 10 Thierry Carrez (RETIRED) gentoo-dev 2004-06-07 04:57:09 UTC 
Closed without GLSA
Comment 11 Bryan Østergaard (RETIRED) gentoo-dev 2004-06-07 13:11:12 UTC 
*** Bug 53240 has been marked as a duplicate of this bug. ***