Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 325199 (CVE-2010-2665) - <www-client/opera-10.11: Data URIs can be used to allow cross-site scripting (CVE-2010-2665)
Summary: <www-client/opera-10.11: Data URIs can be used to allow cross-site scripting ...
Status: RESOLVED FIXED
Alias: CVE-2010-2665
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://www.opera.com/support/kb/view/...
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2010-06-23 11:02 UTC by Jeroen Roovers (RETIRED)
Modified: 2012-06-15 17:40 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jeroen Roovers (RETIRED) gentoo-dev 2010-06-23 11:02:23 UTC
Advisory: Data URIs can be used to allow cross-site scripting

Severity: Highly severe

= Description =
Data URIs are allowed to run scripts that manipulate pages from the site that directly opened them. In some cases, the opening site is not correctly detected. In these cases, Data URIs may erroneously be able to run scripts so that they interact with sites that did not directly cause them to be opened.Opera's response
Opera Software has released Opera 10.54 on Windows and Mac, and Opera 10.11 on Linux and FreeBSD, where this issue has been fixed.

Arch teams, please test and mark stable:
=www-client/opera-10.11
Target KEYWORDS="amd64 ppc x86"
Comment 1 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2010-06-23 11:39:41 UTC
x86 stable
Comment 2 Christoph Mende (RETIRED) gentoo-dev 2010-06-23 16:41:18 UTC
amd64 stable, ppc doesn't seem to have 10.1[10] keyworded btw
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2010-06-23 17:40:05 UTC
Correct. There is no Qt3 left to support PPC.
Comment 4 Tim Sammut (RETIRED) gentoo-dev 2010-11-20 17:00:59 UTC
GLSA Vote: yes.
Comment 5 Stefan Behte (RETIRED) gentoo-dev Security 2010-11-21 17:05:16 UTC
We have an opera GLSA pending, it will be added there.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2012-06-15 17:40:37 UTC
This issue was resolved and addressed in
 GLSA 201206-03 at http://security.gentoo.org/glsa/glsa-201206-03.xml
by GLSA coordinator Sean Amoss (ackle).