A vulnerability has been identified in Opera, which could be exploited by remote attackers to take complete control of a vulnerable system. This issue is caused by an integer truncation error within the Opera Internet Browser module "opera.dll" when handling a HTML "select" element containing an overly large number of children, which could allow remote attackers to execute arbitrary code by convincing a user to visit a specially crafted web page. VUPEN has confirmed this vulnerability with Opera versions 11.00 and 10.63 on Windows 7 and Windows XP SP3.
Arch teams, please test and mark stable: =www-client/opera-11.01.1190 Target KEYWORDS="amd64 x86"
== Security == - Fixed - * Removed support for "javascript:" URLs in CSS -o-link values, to make it easier for sites to filter untrusted CSS. * Fixed an issue where large form inputs could allow execution of arbitrary code, as reported by Jordi Chancel; see our advisory.[1] * Fixed an issue which made it possible to carry out clickjacking attacks against internal opera: URLs; see our advisory.[2] * Fixed issues which allowed web pages to gain limited access to files on the user's computer; see our advisory.[3] * Fixed an issue where email passwords were not immediately deleted when deleting private data; see our advisory.[4] [1] http://www.opera.com/support/kb/view/982/ [2] http://www.opera.com/support/kb/view/983/ [3] http://www.opera.com/support/kb/view/984/ [4] http://www.opera.com/support/kb/view/986/
x86 stable
amd64 ok!
amd64 done. Thanks Agostino
Thanks, folks. Added to existing GLSA request.
CVE-2011-0687 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0687): Opera before 11.01 does not properly implement Wireless Application Protocol (WAP) dropdown lists, which allows user-assisted remote attackers to cause a denial of service (application crash) via a crafted WAP document. CVE-2011-0686 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0686): Unspecified vulnerability in Opera before 11.01 allows remote attackers to cause a denial of service (application crash) via unknown content on a web page, as demonstrated by vkontakte.ru. CVE-2011-0685 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0685): The Delete Private Data feature in Opera before 11.01 does not properly implement the "Clear all email account passwords" option, which might allow physically proximate attackers to access an e-mail account via an unattended workstation. CVE-2011-0684 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0684): Opera before 11.01 does not properly handle redirections and unspecified other HTTP responses, which allows remote web servers to obtain sufficient access to local files to use these files as page resources, and consequently obtain potentially sensitive information from the contents of the files, via an unknown response manipulation. CVE-2011-0683 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0683): Opera before 11.01 does not properly restrict the use of opera: URLs, which makes it easier for remote attackers to conduct clickjacking attacks via a crafted web site. CVE-2011-0682 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0682): Integer truncation error in opera.dll in Opera before 11.01 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via an HTML form with a select element that contains a large number of children. CVE-2011-0681 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0681): The Cascading Style Sheets (CSS) Extensions for XML implementation in Opera before 11.01 recognizes links to javascript: URLs in the -o-link property, which makes it easier for remote attackers to bypass CSS filtering via a crafted URL.
This issue was resolved and addressed in GLSA 201206-03 at http://security.gentoo.org/glsa/glsa-201206-03.xml by GLSA coordinator Sean Amoss (ackle).