Source : SEC Consult, on full-disclosure@ (see also the changelog http://www.opera.com/docs/changelogs/linux/854/ ) Vulnerability overview: --------------- Due to a signedness error in the length check in a string utility function, a signed expansion and a subsequent call to wcsncpy, it is possible to overwrite large portions behind the target buffer. Doing so crashes the application. Exploitation for code execution seems hard to due to the large amount of memory being copied, of which only a small portion can be controlled (we didn't spend too much time on that, though). The bug can be triggered by specifying a long value within a stylesheet attribute. <STYLE type=text/css>A { FONT-FAMILY: 35000x'A' } </STYLE> Vendor status: --------------- vendor notified: 2006-03-14 vendor response: 2006-03-16 fixed: 2006-04-05 The bug has been fixed in Opera 8.54 and in current versions of Opera 9.0.
This may be a B1 (remote code execution). (severity=major) If code execution is impossible, it is "only" a B3 (severity=minor) Please look into this and advise me :)
Sorry, not B1 but B2, in the worst case.
Seems like Opera consider it only a crash: Fixed stability issue reported by SEC-Consult Unternehmensberatung GmbH. Padawans could you see wether this is exploitable, otherwise it's hardly a security issue.
Reassigning to auditors so that they cconfirm it's not really exploitable for more than a crash.
CVE-2006-1834 : "Integer signedness error in Opera before 8.54 allows remote attackers to execute arbitrary code via long values in a stylesheet attribute, which pass a length check. NOTE: a sign extension problem makes the attack easier with shorter strings."
8.54 corrects this vuln. it seems to be exploitable for remote code execution, as for Securityfocus (at least). Lanius, please provide 8.54 ebuild if possible, thanks a lot
*** Bug 128896 has been marked as a duplicate of this bug. ***
*** Bug 132865 has been marked as a duplicate of this bug. ***
Created attachment 86532 [details] Opera 8.54 ebuild Ebuild for 8.54: worksforme
*** Bug 132877 has been marked as a duplicate of this bug. ***
thanks Bart. I think this is clearly a security issue (see CVE-2006-1834, SecurityFocus 17513) we should find someone able to commit the ebuild into portage; maybe one of sec team ?
*** Bug 133491 has been marked as a duplicate of this bug. ***
This security bug is open for more than a month. Are there any updates on this one?
The ebuild attached above doesnt work for me. I get a sandbox violation: ACCESS DENIED open_wr: /usr/share/icons/hicolor/48x48/apps/opera.png cp: cannot create regular file `/usr/share/icons/hicolor/48x48/apps/opera.png': Permission denied ACCESS DENIED open_wr: /usr/share/icons/hicolor/32x32/apps/opera.png cp: cannot create regular file `/usr/share/icons/hicolor/32x32/apps/opera.png': Permission denied ACCESS DENIED open_wr: /usr/share/icons/hicolor/22x22/apps/opera.png cp: cannot create regular file `/usr/share/icons/hicolor/22x22/apps/opera.png': Permission denied Could not find shortcut installation directory, desktop entry not installed. install: cannot stat `/usr/local/portage/www-client/opera/files/opera.desktop': No such file or directory >>> Completed installing opera-8.54 into /mnt/portage/portage_tmp/portage/opera-8.54/image/ --------------------------- ACCESS VIOLATION SUMMARY ---------------------------LOG FILE = "/var/log/sandbox/sandbox-www-client_-_opera-8.54-22351.log" open_wr: /usr/share/icons/hicolor/48x48/apps/opera.png open_wr: /usr/share/icons/hicolor/32x32/apps/opera.png open_wr: /usr/share/icons/hicolor/22x22/apps/opera.png --------------------------------------------------------------------------------
*** Bug 134055 has been marked as a duplicate of this bug. ***
Couldn't reproduce the sandbox issues using portage-2.1_rc2 so added ebuild to portage.
arches please test and mark 8.54 stable, thank you
Marked ppc stable.
x86 done
Static version fails with wrong size, - `/usr/portage/distfiles/opera-8.54-20060330.1-static-qt.i386-en.tar.bz2' saved [5812590] >>> md5 files ;-) opera-8.51.ebuild >>> md5 files ;-) opera-8.52.ebuild >>> md5 files ;-) opera-8.54.ebuild >>> md5 files ;-) files/opera-qt.2.patch >>> md5 files ;-) files/digest-opera-8.51 >>> md5 files ;-) files/digest-opera-8.52 >>> md5 files ;-) files/digest-opera-8.54 >>> md5 files ;-) files/opera.desktop !!! Digest verification Failed: !!! /usr/portage/distfiles/opera-8.54-20060330.1-static-qt.i386-en.tar.bz2 !!! Reason: Filesize does not match recorded size mjollnir mka # grep static-qt.i386 /usr/portage/www-client/opera/files/digest-opera-8.54 MD5 16969fd3b4c5c4ccdfffddf34f95f71d opera-8.54-20060330.1-static-qt.i386-en.tar.bz2 3288384 mjollnir mka # ls -al opera-8.54-20060330.1-static-qt.i386-en.tar.bz2 -rw-rw-r-- 1 root portage 5812590 2006-05-26 17:34 opera-8.54-20060330.1-static-qt.i386-en.tar.bz2 mjollnir mka # head -c 3288384 opera-8.54-20060330.1-static-qt.i386-en.tar.bz2 | md5sum 16969fd3b4c5c4ccdfffddf34f95f71d It seems that file size is truncated in ebuild.
digest was indeed wrong for the static-qt version, fixed.
(In reply to comment #16) > Couldn't reproduce the sandbox issues using portage-2.1_rc2 so added ebuild to > portage. I ran into the sandbox issue with portage-2.0.54-r2. Since it is the current stable version on amd64 and people will be emerge'ing opera with it, I'm not going to mark opera-8.54 stable on amd64 until the sandbox issue is fixed. # emerge --info Portage 2.0.54-r2 (default-linux/amd64/2006.0, gcc-3.4.5, glibc-2.3.6-r3, 2.6.15-gentoo-r7 x86_64) ================================================================= System uname: 2.6.15-gentoo-r7 x86_64 AMD Turion(tm) 64 Mobile Technology ML-32 Gentoo Base System version 1.6.14 dev-lang/python: 2.4.2 dev-python/pycrypto: [Not Present] dev-util/ccache: [Not Present] dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1 sys-devel/binutils: 2.16.1 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="amd64" AUTOCLEAN="yes" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=athlon64 -O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/lib/X11/xkb /usr/lib64/mozilla/defaults/pref /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/ /var/qmail/control" CONFIG_PROTECT_MASK="/etc/eselect/compiler /etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-march=athlon64 -O2 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoaddcvs autoconfig cvs distlocks multilib-strict sandbox sfperms strict" GENTOO_MIRRORS="http://gentoo.osuosl.org/ " MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://134.68.220.73/gentoo-portage" USE="amd64 X aac acpi aim alsa audacious audiofile avi berkdb bitmap-fonts browserplugin bzip2 cdr cli crypt cups curl dbus dri eds emboss encode esd ethereal exif expat fam flac foomaticdb gd gdbm gif glut gnome gphoto2 gpm gstreamer gtk gtk2 gtkhtml hal icq idn imagemagick imlib ipv6 isdnlog jabber java jpeg kde lcms libcaca libwww lua lzw lzw-tiff mad mikmod mng mono mozilla moznocompose moznoirc moznomail mp3 mpeg msn mysql ncurses nls nocd nptl nptlonly nsplugin offensive ogg oggvorbis openal opengl oscar pam pcre pdflib perl php png pppd python qt quicktime readline reflection sdl session shorten sndfile spell spl ssl symlink tcpd tetex tiff truetype truetype-fonts type1-fonts udev usb userlocales vorbis wxgtk1 xml2 xmms xorg xpm xv xvid yahoo zlib userland_GNU kernel_linux elibc_glibc" Unset: ASFLAGS, CTARGET, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS, PORTAGE_RSYNC_EXTRA_OPTS, PORTAGE_RSYNC_OPTS >>> Install opera-8.54 into /var/tmp/portage/opera-8.54/image/ category www-clie nt System wide configuration files: /var/tmp/portage/opera-8.54/image//etc//opera6rc /var/tmp/portage/opera-8.54/image//etc//opera6rc.fixed would be ignored if installed with the prefix "/var/tmp/portage/opera-8.54/imag e//opt/opera". Do you want to install them in /var/tmp/portage/opera-8.54/image//etc/ [ y,n | y es,no ] ? Shortcut icons will be ignored if installed with the prefix "/var/tmp/portage/op era-8.54/image//opt/opera". Do you want to (try to) install them in default locations [ y,n | yes,no ] ? ACCESS DENIED open_wr: /usr/share/icons/hicolor/48x48/apps/opera.png cp: cannot create regular file `/usr/share/icons/hicolor/48x48/apps/opera.png': Permission denied ACCESS DENIED open_wr: /usr/share/icons/hicolor/32x32/apps/opera.png cp: cannot create regular file `/usr/share/icons/hicolor/32x32/apps/opera.png': Permission denied ACCESS DENIED open_wr: /usr/share/icons/hicolor/22x22/apps/opera.png cp: cannot create regular file `/usr/share/icons/hicolor/22x22/apps/opera.png': Permission denied Could not find shortcut installation directory, desktop entry not installed. man: strip: x86_64-pc-linux-gnu-strip --strip-unneeded /opt/opera/lib/opera/8.54-20060330.5/opera /opt/opera/lib/opera/8.54-20060330.5/spellcheck.so /opt/opera/lib/opera/8.54-20060330.5/works /opt/opera/lib/opera/8.54-20060330.5/missingsyms.so /opt/opera/lib/opera/plugins/operamotifwrapper-1 /opt/opera/lib/opera/plugins/operamotifwrapper-2 /opt/opera/lib/opera/plugins/operamotifwrapper-3 /opt/opera/lib/opera/plugins/libnpp.so /opt/opera/lib/opera/plugins/operaplugincleaner >>> Completed installing opera-8.54 into /var/tmp/portage/opera-8.54/image/ --------------------------- ACCESS VIOLATION SUMMARY --------------------------- LOG FILE = "/var/log/sandbox/sandbox-www-client_-_opera-8.54-9221.log" open_wr: /usr/share/icons/hicolor/48x48/apps/opera.png open_wr: /usr/share/icons/hicolor/32x32/apps/opera.png open_wr: /usr/share/icons/hicolor/22x22/apps/opera.png --------------------------------------------------------------------------------
Back to ebuild to get the sandbox issue fixed.
The sandbox issue has been resolved. amd64 stable. Thanks!
thanks, ready for glsa
GLSA 200606-01 Thx everyone and sorry for the delay.