Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 429478 - <www-client/opera-12.01.1532 - multiple vulnerabilities (CVE-2012-{4142,4143,4144,4145,4146})
Summary: <www-client/opera-12.01.1532 - multiple vulnerabilities (CVE-2012-{4142,4143,...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://www.opera.com/docs/changelogs/...
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2012-08-02 12:24 UTC by Jeroen Roovers (RETIRED)
Modified: 2012-09-25 21:52 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jeroen Roovers (RETIRED) gentoo-dev 2012-08-02 12:24:57 UTC
= Security =
 - Re-fixed an issue where certain URL constructs could allow arbitrary code
   execution, as reported by Andrey Stroganov; see our advisory[1]
 - Fixed an issue where certain characters in HTML could incorrectly be ignored,
   which could facilitate XSS attacks; see our advisory[2]
 - Fixed another issue where small windows could be used to trick users into
   executing downloads as reported by Jordi Chancel; see our advisory[3]
 - Fixed an issue where an element's HTML content could be incorrectly returned
   without escaping, bypassing some HTML sanitizers; see our advisory[4]
 - Fixed a low severity issue, details will be disclosed at a later date

[1] http://www.opera.com/support/kb/view/1016/
[2] http://www.opera.com/support/kb/view/1026/
[3] http://www.opera.com/support/kb/view/1027/
[4] http://www.opera.com/support/kb/view/1025/

---

Arch teams, please test and mark stable:
=www-client/opera-12.01.1532
Stable KEYWORDS : amd64 x86
Comment 1 Agostino Sarubbo gentoo-dev 2012-08-02 13:02:17 UTC
amd64 stable
Comment 2 Jeff (JD) Horelick (RETIRED) gentoo-dev 2012-08-03 06:58:39 UTC
x86 stable
Comment 3 Sean Amoss (RETIRED) gentoo-dev Security 2012-08-03 11:43:12 UTC
Thanks, everyone. 

GLSA request filed.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2012-08-06 23:56:47 UTC
CVE-2012-4146 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4146):
  Opera before 12.01 allows remote attackers to cause a denial of service
  (application crash) via a crafted web site, as demonstrated by the Lenovo
  "Shop now" page.

CVE-2012-4145 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4145):
  Unspecified vulnerability in Opera before 12.01 on Windows and UNIX, and
  before 11.66 and 12.x before 12.01 on Mac OS X, has unknown impact and
  attack vectors, related to a "low severity issue."

CVE-2012-4144 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4144):
  Opera before 12.01 on Windows and UNIX, and before 11.66 and 12.x before
  12.01 on Mac OS X, does not properly escape characters in DOM elements,
  which makes it easier for remote attackers to bypass cross-site scripting
  (XSS) protection mechanisms via a crafted HTML document.

CVE-2012-4143 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4143):
  Opera before 12.01 on Windows and UNIX, and before 11.66 and 12.x before
  12.01 on Mac OS X, allows user-assisted remote attackers to trick users into
  downloading and executing arbitrary files via a small window for the
  download dialog, a different vulnerability than CVE-2012-1924.

CVE-2012-4142 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4142):
  Opera before 12.01 on Windows and UNIX, and before 11.66 and 12.x before
  12.01 on Mac OS X, ignores some characters in HTML documents in unspecified
  circumstances, which makes it easier for remote attackers to conduct
  cross-site scripting (XSS) attacks via a crafted document.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2012-09-25 21:52:11 UTC
This issue was resolved and addressed in
 GLSA 201209-11 at http://security.gentoo.org/glsa/glsa-201209-11.xml
by GLSA coordinator Sean Amoss (ackle).