Bugzilla Bug 247229

$URL has an exploit for Opera 9.62 which allows for remote code execution by
enticing a user to visit a malicious page.

Might be Windows-only, I'm unable to even make opera crash (the page just sits
there loading forever, Opera keeps responsive).

So.. waiting for new information / upstream reactions. No idea whether they've
been contacted yet...

(In reply to comment #1)
> So.. waiting for new information / upstream reactions. No idea whether they've
> been contacted yet...
> 

Opera has been informed in early october

Steps to reproduce:

$ lynx -dont_wrap_pre -dump 'http://www.milw0rm.com/exploits/7135' >
/keeps/gentoo/bugs/247229/7135.html
$ opera /keeps/gentoo/bugs/247229/7135.html
ERROR: ld.so: object 'libjvm.so' from LD_PRELOAD cannot be preloaded: ignored.
ERROR: ld.so: object 'libawt.so' from LD_PRELOAD cannot be preloaded: ignored.
NPP_GetValue(1)
NPP_GetMIMEDescription()
NPP_GetValue(1)
NPP_GetValue(2)
Segmentation fault
$ _

Tue Nov 18 18:37:08 CET 2008
Portage 2.2_rc14 (default/linux/x86/2008.0/desktop, gcc-4.1.2, glibc-2.6.1-r0,
2.6.25-gentoo-r7-JeR i686)
=================================================================
System uname:
Linux-2.6.25-gentoo-r7-JeR-i686-AMD_Athlon-tm-_XP_2500+-with-glibc2.0
Timestamp of tree: Tue, 18 Nov 2008 05:15:01 +0000
distcc 2.18.3 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632)
[disabled]
ccache version 2.4 [disabled]
app-shells/bash:     3.2_p33
dev-java/java-config: 1.3.7, 2.1.6
dev-lang/python:     2.5.2-r7
dev-util/ccache:     2.4-r7
sys-apps/baselayout: 1.12.11.1
sys-apps/sandbox:    1.2.18.1-r2
sys-devel/autoconf:  2.13, 2.61-r2
sys-devel/automake:  1.5, 1.7.9-r1, 1.9.6-r2, 1.10.1-r1
sys-devel/binutils:  2.18-r3
sys-devel/gcc-config: 1.4.0-r4
sys-devel/libtool:   1.5.26
virtual/os-headers:  2.6.23-r3
ACCEPT_KEYWORDS="x86"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -pipe -march=athlon-xp"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/X11/app-defaults/XTerm
/usr/share/X11/app-defaults/XTerm-color"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/
/etc/fonts/fonts.conf /etc/gconf /etc/revdep-rebuild /etc/terminfo
/etc/udev/rules.d"
CXXFLAGS="-O2 -pipe -march=athlon-xp"
DISTDIR="/keeps/gentoo/distfiles"
FEATURES="autoaddcvs buildpkg cvs distlocks fixpackages notitles parallel-fetch
preserve-libs protect-owned sandbox sfperms splitdebug strict unmerge-orphans
userfetch"
GENTOO_MIRRORS="http://ftp.snt.utwente.nl/pub/os/linux/gentoo
http://gentoo.tiscali.nl/ http://mirror.muntinternet.net/pub/gentoo/ "
LC_ALL="en_US.UTF-8"
LDFLAGS="-Wl,-O1"
LINGUAS="en en_GB nl"
MAKEOPTS="-j3"
PKGDIR="/keeps/gentoo/packages/astrid"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress
--force --whole-file --delete --stats --timeout=180 --exclude=/distfiles
--exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/keeps/gentoo/portage"
PORTDIR_OVERLAY="/keeps/gentoo/local"
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
USE="3dnow 3dnowext X a52 aac aalib acpi alsa asf audiofile bash-completion
berkdb bl bluetooth boost branding bzip2 cairo cdda cddb cdio cdparanoia cdr
chroot cli cpudetection cracklib crypt cscope css cups curl custom-cflags dga
dillo divx dri dv dvd dvdr dvdread edl eds elf emboss encode evo fame fbcon
ffmpeg flac flash fontforge foomaticdb fortran freetype gdbm ggi gif gimpprint
glib glitz glut gmedia gnokii gnutls gpm gs gstreamer gtk gtk2 iconv idn
imagemagick imlib inkjar ipv6 isdnlog jingle jpeg kde lcms libcaca libnotify
libsamplerate live lm_sensors logrotate lzo mad matroska midi mikmod mjpeg mmx
mng modplug mozilla mozsvg mozxmlterm mp3 mpeg mplayer mudflap musepack ncurses
nethack network nls nptl nptlonly nsplugin offensive ogg opengl openmp
optimisememory pam pcre pda pdf perl physfs plotutils png ppds pppd pulseaudio
python quicktime readline realmedia reflection rtc rtsp ruby samba screenshot
sdl server session sftplogging shout skins smux snmp speex spell spl sse sse2
sse3 ssl startup-notification stream svg sysfs syslog tcpd test tetex tga
theora threads tiff truetype unicode upnp usb userlocales utils v4l v4l2 vcd
vidix vlm vorbis win32codecs winbind wmp x86 xanim xml xml2 xorg xosd xulrunner
xv xvid xvmc zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106
cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0
intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci"
ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file
hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug
rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic
authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm
authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache
dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache
filter headers include info log_config logio mem_cache mime mime_magic
negotiation rewrite setenvif speling status unique_id userdir usertrack
vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev wacom"
KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001
mtxorb ncurses text" LINGUAS="en en_GB nl" USERLAND="GNU" VIDEO_CARDS="nvidia"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LANG,
PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

Btw, the segfault seems to suggest that an entirely unhardened Linux is coping
quite well here - I see opera sucking up an enormous amount of memory and then
segfaulting (probably some missing malloc check).

jer, could you also try remotely please? Maybe the "local" in milw0rm's title
really means that the exploit code needs to be on the local machine already,
which would make this issue much less important, imo.

(In reply to comment #6)
> jer, could you also try remotely please? Maybe the "local" in milw0rm's title
> really means that the exploit code needs to be on the local machine already,
> which would make this issue much less important, imo.

Secunia confirms that this can only be exploited locally.
http://secunia.com/advisories/32752/

Re-rating as B3.

(In reply to comment #7)
> (In reply to comment #6)
> > jer, could you also try remotely please? Maybe the "local" in milw0rm's title
> > really means that the exploit code needs to be on the local machine already,
> > which would make this issue much less important, imo.
> 
> Secunia confirms that this can only be exploited locally.
> http://secunia.com/advisories/32752/

The advisory header actually says "Where: From remote" but I guess that's some
kind of oversight. I uploaded the code to dev.g.o/~jer/* and loaded that in
Opera, but instead of the reproduceable segfault all I got was an idling
page...

CVE-2008-5178 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5178):
  Heap-based buffer overflow in Opera 9.62 on Windows allows remote
  attackers to execute arbitrary code via a long file:// URI.

opera-9.63 released, which fixes this issue along with others.
Jeroen, please bump.

No idea about CVEs except for the initial issue.


Quoting the ChangeLog [1]

* Manipulating text input contents can allow execution of arbitrary code, as
  reported by Red XIII [2]

* HTML parsing flaw can cause Opera to execute arbitrary code, as reported by
  Alexios Fakos [3]

* Long hostnames in file: URLs can cause execution of arbitrary code, as
  reported by Vitaly McLain. [4]

* Script injection in feed preview can reveal contents of unrelated news feeds,
  as reported by David Bloom. [5]

* Built-in XSLT templates can allow cross-site scripting, as reported by Robert
  Swiecki of the Google Security Team. [6]

* Fixed an issue that could reveal random data, as reported by Matthew of
  Hispasec Sistemas. Details will be disclosed at a later date.

* SVG images embedded using <img> tags can no longer execute Java or plugin
  content, suggested by Chris Evans.

[1] http://www.opera.com/docs/changelogs/linux/963/
[2] http://www.opera.com/support/search/view/920/
[3] http://www.opera.com/support/search/view/921/
[4] http://www.opera.com/support/search/view/922/
[5] http://www.opera.com/support/search/view/923/
[6] http://www.opera.com/support/search/view/924/

*** Bug 251155 has been marked as a duplicate of this bug. ***

It's in the tree alright.

Arches, please test and mark stable:
=www-client/opera-9.63
Target keywords : "amd64 ppc x86"

amd64 stable

ppc stable

x86 stable, all arches done.

I've just discovered Opera 9.63 is now available for SPARC platforms. Could it
be unmasked and tested as unstable? 

GLSA request filed.

(In reply to comment #18)
> I've just discovered Opera 9.63 is now available for SPARC platforms. Could it
> be unmasked and tested as unstable? 

1) That's not related to this bug and you ought to have filed a new bug report.
2) It's only available for solaris[1], which isn't supported in the Portage
tree.

[1] http://ftp.opera.com/pub/opera/unix/solaris/963/final/en/sparc/

(In reply to comment #10)
> CVE-2008-5178 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5178):
>   Heap-based buffer overflow in Opera 9.62 on Windows allows remote
>   attackers to execute arbitrary code via a long file:// URI.
> 

"on Windows": Only the CVE says windows-only. Neither the upstream advisory nor
secunia say it's windows-only. Jer, could you please check whether we are
affected by this one or not?

(In reply to comment #21)
> Jer, could you please check whether we are
> affected by this one or not?

Comment #9?

GLSA 200903-30, thanks everyone.