Bugzilla Bug 235298

Ignoring bug #195386 and bug #231830 for the moment, we're almost ready to
stabilise.

* Sites can no longer change framed content on other sites: see our advisory[1]
* Fixed an issue that could allow cross-site scripting, as reported by Chris
Weber of Casaba Security: details will be disclosed at a later date
* Custom shortcuts no longer pass the wrong parameters to applications, as
reported by Michael A. Puls II: see our advisory[2]
* Prevented insecure pages from showing incorrect security information, as
reported by Lars Kleinschmidt: see our advisory[3]
* Feed links can no longer link to local files: see our advisory[4]
* Feed subscription can no longer cause the wrong page address to be displayed:
see our advisory[5]

[1] http://www.opera.com/support/search/view/893/
[2] http://www.opera.com/support/search/view/894/
[3] http://www.opera.com/support/search/view/895/
[4] http://www.opera.com/support/search/view/896/
[5] http://www.opera.com/support/search/view/897/

An ebuild is in the tree and the package.mask entry has been removed. Feel free
to proceed with stabilisation.

Arches, please test and mark stable:
=www-client/opera-9.52
Target keywords : "amd64 ppc sparc x86"

i know, no sparc :-)

I don't think I can agree to this bug's Severity being "minor".

* Sites can no longer change framed content on other sites [...] - Highly
Severe
* Fixed an issue that could allow cross-site scripting [...] - [as yet unknown]
* Custom shortcuts no longer pass the wrong parameters to applications [...] -
Moderately Severe
* Prevented insecure pages from showing incorrect security information [...] -
Less Severe
* Feed links can no longer link to local files [...] - Less Severe
* Feed subscription can no longer cause the wrong page address to be displayed
[...] - Not Severe

The first of them should warrant expedient stabilisation and a matching
Severity setting on this bug report.

Stable flash stoped working in opera-9.52 here on amd64. :(

Okay, had to remerge netscape-flash. :) amd64 stable

I agree about the severity thing. It's much more critical imo.

Stable on x86

(In reply to comment #4)
> I don't think I can agree to this bug's Severity being "minor".

The severity is a direct result of the status B3 ('Global service compromise:
denial of service, passwords or full database leaks'), please refer to section
3 of the vulnerability treatment policy for details:
http://www.gentoo.org/security/en/vulnerability-policy.xml#doc_chap3

Any higher rating (B1/B2) would mean that an attacker could leverage any of
these vulnerability to execute code with or without user assistance.

(In reply to comment #7)
> Stable on x86

Please read http://devmanual.gentoo.org/keywording/ to find out what "stable on
x86" means in Gentoo parlance.

(In reply to comment #8)
> (In reply to comment #4)
> > I don't think I can agree to this bug's Severity being "minor".
> 
> The severity is a direct result of the status B3 ('Global service compromise:
> denial of service, passwords or full database leaks'), please refer to section
> 3 of the vulnerability treatment policy for details:
> http://www.gentoo.org/security/en/vulnerability-policy.xml#doc_chap3

Ah, I wasn't aware of that. Thanks.

x86 stable

ppc stable and ready for glsa voting

<www-client/opera-9.52 removed from the tree, except where package.masked.

I vote YES.

I vote yes.

yes too, request filed.

CVE-2008-4195 Sites can change framed content on other sites
CVE-2008-4196 cross-site scripting
CVE-2008-4197 Custom shortcuts
CVE-2008-4198 insecure pages show incorrect security information
CVE-2008-4199 Feed links can link to local files
CVE-2008-4200 feed subscription can cause the wrong page address to be
displayed

CVE-2008-4195 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4195):
  Opera before 9.52 does not properly restrict the ability of a framed
  web page to change the address associated with a different frame,
  which allows remote attackers to trigger the display of an arbitrary
  address in a frame via unspecified use of web script.

CVE-2008-4196 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4196):
  Cross-site scripting (XSS) vulnerability in Opera before 9.52 allows
  remote attackers to inject arbitrary web script or HTML via
  unspecified vectors.

CVE-2008-4197 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4197):
  Opera before 9.52 on Windows, Linux, FreeBSD, and Solaris, when
  processing custom shortcut and menu commands, can produce argument
  strings that contain uninitialized memory, which might allow
  user-assisted remote attackers to execute arbitrary code or conduct
  other attacks via vectors related to activation of a shortcut.

CVE-2008-4198 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4198):
  Opera before 9.52, when rendering an http page that has loaded an
  https page into a frame, displays a padlock icon and offers a
  security information dialog reporting a secure connection, which
  might allow remote attackers to trick a user into performing unsafe
  actions on the http page.

CVE-2008-4199 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4199):
  Opera before 9.52 does not prevent use of links from web pages to
  feed source files on the local disk, which might allow remote
  attackers to determine the validity of local filenames via vectors
  involving "detection of JavaScript events and appropriate
  manipulation."

CVE-2008-4200 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4200):
  Opera before 9.52 does not ensure that the address field of a news
  feed represents the feed's actual URL, which allows remote attackers
  to change this field to display the URL of a page containing web
  script controlled by the attacker.

CVE-2008-4292 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4292):
  Opera before 9.52 does not check the CRL override upon encountering a
  certificate that lacks a CRL, which has unknown impact and attack
  vectors.  NOTE: it is not clear whether this is a vulnerability, but
  the vendor included it in a security section of the advisory.

GLSA 200811-01, thanks everyone and sorry about the delay.