Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 129800 - www-client/opera: crash and maybe code execution with <STYLE> (CVE-2006-1834)
Summary: www-client/opera: crash and maybe code execution with <STYLE> (CVE-2006-1834)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://www.sec-consult.com/259.html
Whiteboard: B2 [glsa] Falco
Keywords:
: 128896 132865 132877 133491 134055 (view as bug list)
Depends on: 114807
Blocks: 122766
  Show dependency tree
 
Reported: 2006-04-13 05:57 UTC by Raphael Marichez (Falco) (RETIRED)
Modified: 2007-05-31 10:55 UTC (History)
10 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
Opera 8.54 ebuild (opera-8.54.ebuild,4.42 KB, application/octet-stream)
2006-05-10 02:11 UTC, Aquila
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-04-13 05:57:14 UTC
Source : SEC Consult, on full-disclosure@ (see also the changelog http://www.opera.com/docs/changelogs/linux/854/ )

Vulnerability overview:
---------------

Due to a signedness error in the length check in a string utility
function, a signed expansion and a subsequent call to wcsncpy, it is
possible to overwrite large portions behind the target buffer. Doing so
crashes the application. Exploitation for code execution seems hard to
due to the large amount of memory being copied, of which only a small
portion can be controlled (we didn't spend too much time on that, though).
The bug can be triggered by specifying a long value within a stylesheet
attribute.

<STYLE type=text/css>A { FONT-FAMILY: 35000x'A' } </STYLE>



Vendor status:
---------------
vendor notified: 2006-03-14
vendor response: 2006-03-16
fixed: 2006-04-05

The bug has been fixed in Opera 8.54 and in current versions of Opera 9.0.
Comment 1 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-04-13 06:03:22 UTC
This may be a B1 (remote code execution). (severity=major)

If code execution is impossible, it is "only" a B3 (severity=minor)

Please look into this and advise me :)
Comment 2 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-04-13 06:07:11 UTC
Sorry, not B1 but B2, in the worst case.
Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-04-18 23:34:33 UTC
Seems like Opera consider it only a crash:
Fixed stability issue reported by SEC-Consult Unternehmensberatung GmbH.

Padawans could you see wether this is exploitable, otherwise it's hardly a security issue.
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2006-04-22 03:05:30 UTC
Reassigning to auditors so that they cconfirm it's not really exploitable for more than a crash.
Comment 5 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-04-23 01:26:19 UTC
CVE-2006-1834 :
"Integer signedness error in Opera before 8.54 allows remote attackers to execute arbitrary code via long values in a stylesheet attribute, which pass a length check. NOTE: a sign extension problem makes the attack easier with shorter strings."
Comment 6 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-04-26 09:03:30 UTC
8.54 corrects this vuln.

it seems to be exploitable for remote code execution, as for Securityfocus (at least).

Lanius, please provide 8.54 ebuild if possible, thanks a lot
Comment 7 Jakub Moc (RETIRED) gentoo-dev 2006-05-02 02:15:26 UTC
*** Bug 128896 has been marked as a duplicate of this bug. ***
Comment 8 Jakub Moc (RETIRED) gentoo-dev 2006-05-10 01:18:35 UTC
*** Bug 132865 has been marked as a duplicate of this bug. ***
Comment 9 Aquila 2006-05-10 02:11:00 UTC
Created attachment 86532 [details]
Opera 8.54 ebuild

Ebuild for 8.54: worksforme
Comment 10 Jakub Moc (RETIRED) gentoo-dev 2006-05-10 03:33:23 UTC
*** Bug 132877 has been marked as a duplicate of this bug. ***
Comment 11 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-05-10 04:14:04 UTC
thanks Bart.

I think this is clearly a security issue (see CVE-2006-1834, SecurityFocus 17513)

we should find someone able to commit the ebuild into portage; maybe one of sec team ?
Comment 12 Jakub Moc (RETIRED) gentoo-dev 2006-05-16 07:27:32 UTC
*** Bug 133491 has been marked as a duplicate of this bug. ***
Comment 13 Aquila 2006-05-22 01:07:42 UTC
This security bug is open for more than a month. Are there any updates on this one?
Comment 14 Stefan Cornelius (RETIRED) gentoo-dev 2006-05-22 07:28:51 UTC
The ebuild attached above doesnt work for me. I get a sandbox violation:
ACCESS DENIED  open_wr:   /usr/share/icons/hicolor/48x48/apps/opera.png
cp: cannot create regular file `/usr/share/icons/hicolor/48x48/apps/opera.png': Permission denied
ACCESS DENIED  open_wr:   /usr/share/icons/hicolor/32x32/apps/opera.png
cp: cannot create regular file `/usr/share/icons/hicolor/32x32/apps/opera.png': Permission denied
ACCESS DENIED  open_wr:   /usr/share/icons/hicolor/22x22/apps/opera.png
cp: cannot create regular file `/usr/share/icons/hicolor/22x22/apps/opera.png': Permission denied
Could not find shortcut installation directory, desktop entry not installed.
install: cannot stat `/usr/local/portage/www-client/opera/files/opera.desktop': No such file or directory
>>> Completed installing opera-8.54 into /mnt/portage/portage_tmp/portage/opera-8.54/image/

--------------------------- ACCESS VIOLATION SUMMARY ---------------------------LOG FILE = "/var/log/sandbox/sandbox-www-client_-_opera-8.54-22351.log"

open_wr:   /usr/share/icons/hicolor/48x48/apps/opera.png
open_wr:   /usr/share/icons/hicolor/32x32/apps/opera.png
open_wr:   /usr/share/icons/hicolor/22x22/apps/opera.png
--------------------------------------------------------------------------------
Comment 15 Jakub Moc (RETIRED) gentoo-dev 2006-05-22 13:47:18 UTC
*** Bug 134055 has been marked as a duplicate of this bug. ***
Comment 16 Bryan Østergaard (RETIRED) gentoo-dev 2006-05-25 13:49:07 UTC
Couldn't reproduce the sandbox issues using portage-2.1_rc2 so added ebuild to portage.
Comment 17 Stefan Cornelius (RETIRED) gentoo-dev 2006-05-25 13:54:14 UTC
arches please test and mark 8.54 stable, thank you
Comment 18 Joe Jezak (RETIRED) gentoo-dev 2006-05-25 16:33:09 UTC
Marked ppc stable.
Comment 19 Mark Loeser (RETIRED) gentoo-dev 2006-05-25 21:39:55 UTC
x86 done
Comment 20 Markku 2006-05-26 07:46:37 UTC
Static version fails with wrong size,

- `/usr/portage/distfiles/opera-8.54-20060330.1-static-qt.i386-en.tar.bz2' saved [5812590]

>>> md5 files   ;-) opera-8.51.ebuild
>>> md5 files   ;-) opera-8.52.ebuild
>>> md5 files   ;-) opera-8.54.ebuild
>>> md5 files   ;-) files/opera-qt.2.patch
>>> md5 files   ;-) files/digest-opera-8.51
>>> md5 files   ;-) files/digest-opera-8.52
>>> md5 files   ;-) files/digest-opera-8.54
>>> md5 files   ;-) files/opera.desktop

!!! Digest verification Failed:
!!!    /usr/portage/distfiles/opera-8.54-20060330.1-static-qt.i386-en.tar.bz2
!!! Reason: Filesize does not match recorded size

mjollnir mka # grep static-qt.i386 /usr/portage/www-client/opera/files/digest-opera-8.54
MD5 16969fd3b4c5c4ccdfffddf34f95f71d opera-8.54-20060330.1-static-qt.i386-en.tar.bz2 3288384

mjollnir mka # ls -al opera-8.54-20060330.1-static-qt.i386-en.tar.bz2
-rw-rw-r-- 1 root portage 5812590 2006-05-26 17:34 opera-8.54-20060330.1-static-qt.i386-en.tar.bz2

mjollnir mka # head -c 3288384 opera-8.54-20060330.1-static-qt.i386-en.tar.bz2 | md5sum
16969fd3b4c5c4ccdfffddf34f95f71d

It seems that file size is truncated in ebuild.
Comment 21 Thomas Matthijs (RETIRED) gentoo-dev 2006-05-26 08:26:23 UTC
digest was indeed wrong for the static-qt version, fixed.
Comment 22 Thomas Cort (RETIRED) gentoo-dev 2006-05-27 13:10:10 UTC
(In reply to comment #16)
> Couldn't reproduce the sandbox issues using portage-2.1_rc2 so added ebuild to
> portage.

I ran into the sandbox issue with portage-2.0.54-r2. Since it is the current stable version on amd64 and people will be emerge'ing opera with it, I'm not going to mark opera-8.54 stable on amd64 until the sandbox issue is fixed.


# emerge --info
Portage 2.0.54-r2 (default-linux/amd64/2006.0, gcc-3.4.5, glibc-2.3.6-r3, 2.6.15-gentoo-r7 x86_64)
=================================================================
System uname: 2.6.15-gentoo-r7 x86_64 AMD Turion(tm) 64 Mobile Technology ML-32
Gentoo Base System version 1.6.14
dev-lang/python:     2.4.2
dev-python/pycrypto: [Not Present]
dev-util/ccache:     [Not Present]
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.59-r7
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1
sys-devel/binutils:  2.16.1
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.11-r2
ACCEPT_KEYWORDS="amd64"
AUTOCLEAN="yes"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=athlon64 -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/lib/X11/xkb /usr/lib64/mozilla/defaults/pref /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/ /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/eselect/compiler /etc/gconf /etc/terminfo /etc/env.d"
CXXFLAGS="-march=athlon64 -O2 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoaddcvs autoconfig cvs distlocks multilib-strict sandbox sfperms strict"
GENTOO_MIRRORS="http://gentoo.osuosl.org/ "
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://134.68.220.73/gentoo-portage"
USE="amd64 X aac acpi aim alsa audacious audiofile avi berkdb bitmap-fonts browserplugin bzip2 cdr cli crypt cups curl dbus dri eds emboss encode esd ethereal exif expat fam flac foomaticdb gd gdbm gif glut gnome gphoto2 gpm gstreamer gtk gtk2 gtkhtml hal icq idn imagemagick imlib ipv6 isdnlog jabber java jpeg kde lcms libcaca libwww lua lzw lzw-tiff mad mikmod mng mono mozilla moznocompose moznoirc moznomail mp3 mpeg msn mysql ncurses nls nocd nptl nptlonly nsplugin offensive ogg oggvorbis openal opengl oscar pam pcre pdflib perl php png pppd python qt quicktime readline reflection sdl session shorten sndfile spell spl ssl symlink tcpd tetex tiff truetype truetype-fonts type1-fonts udev usb userlocales vorbis wxgtk1 xml2 xmms xorg xpm xv xvid yahoo zlib userland_GNU kernel_linux elibc_glibc"
Unset:  ASFLAGS, CTARGET, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS, PORTAGE_RSYNC_EXTRA_OPTS, PORTAGE_RSYNC_OPTS


>>> Install opera-8.54 into /var/tmp/portage/opera-8.54/image/ category www-clie nt

System wide configuration files:
  /var/tmp/portage/opera-8.54/image//etc//opera6rc
  /var/tmp/portage/opera-8.54/image//etc//opera6rc.fixed
 would be ignored if installed with the prefix "/var/tmp/portage/opera-8.54/imag e//opt/opera".
Do you want to install them in /var/tmp/portage/opera-8.54/image//etc/ [ y,n | y es,no ] ?

Shortcut icons will be ignored if installed with the prefix "/var/tmp/portage/op era-8.54/image//opt/opera".
Do you want to (try to) install them in default locations [ y,n | yes,no ] ?
ACCESS DENIED  open_wr:   /usr/share/icons/hicolor/48x48/apps/opera.png
cp: cannot create regular file `/usr/share/icons/hicolor/48x48/apps/opera.png': Permission denied
ACCESS DENIED  open_wr:   /usr/share/icons/hicolor/32x32/apps/opera.png
cp: cannot create regular file `/usr/share/icons/hicolor/32x32/apps/opera.png': Permission denied
ACCESS DENIED  open_wr:   /usr/share/icons/hicolor/22x22/apps/opera.png
cp: cannot create regular file `/usr/share/icons/hicolor/22x22/apps/opera.png': Permission denied
Could not find shortcut installation directory, desktop entry not installed.
man:
strip: x86_64-pc-linux-gnu-strip --strip-unneeded
   /opt/opera/lib/opera/8.54-20060330.5/opera
   /opt/opera/lib/opera/8.54-20060330.5/spellcheck.so
   /opt/opera/lib/opera/8.54-20060330.5/works
   /opt/opera/lib/opera/8.54-20060330.5/missingsyms.so
   /opt/opera/lib/opera/plugins/operamotifwrapper-1
   /opt/opera/lib/opera/plugins/operamotifwrapper-2
   /opt/opera/lib/opera/plugins/operamotifwrapper-3
   /opt/opera/lib/opera/plugins/libnpp.so
   /opt/opera/lib/opera/plugins/operaplugincleaner
>>> Completed installing opera-8.54 into /var/tmp/portage/opera-8.54/image/

--------------------------- ACCESS VIOLATION SUMMARY ---------------------------
LOG FILE = "/var/log/sandbox/sandbox-www-client_-_opera-8.54-9221.log"

open_wr:   /usr/share/icons/hicolor/48x48/apps/opera.png
open_wr:   /usr/share/icons/hicolor/32x32/apps/opera.png
open_wr:   /usr/share/icons/hicolor/22x22/apps/opera.png
--------------------------------------------------------------------------------

Comment 23 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-05-30 08:42:40 UTC
Back to ebuild to get the sandbox issue fixed.
Comment 24 Thomas Cort (RETIRED) gentoo-dev 2006-05-31 12:36:36 UTC
The sandbox issue has been resolved. amd64 stable. Thanks!
Comment 25 Stefan Cornelius (RETIRED) gentoo-dev 2006-05-31 12:39:13 UTC
thanks, ready for glsa
Comment 26 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-06-06 22:34:51 UTC
GLSA 200606-01

Thx everyone and sorry for the delay.