Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 247229 (CVE-2008-5178) - www-client/opera <9.63: multiple vulnerabilities (CVE-2008-{5178,5679,5680,5681,5682,5683})
Summary: www-client/opera <9.63: multiple vulnerabilities (CVE-2008-{5178,5679,5680,56...
Status: RESOLVED FIXED
Alias: CVE-2008-5178
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Gentoo Security
URL: http://www.milw0rm.com/exploits/7135
Whiteboard: B2 [glsa]
Keywords:
: 251155 (view as bug list)
Depends on:
Blocks:
 
Reported: 2008-11-17 17:20 UTC by Christian Hoffmann (RETIRED)
Modified: 2009-03-16 23:56 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Christian Hoffmann (RETIRED) gentoo-dev 2008-11-17 17:20:42 UTC
$URL has an exploit for Opera 9.62 which allows for remote code execution by enticing a user to visit a malicious page.

Might be Windows-only, I'm unable to even make opera crash (the page just sits there loading forever, Opera keeps responsive).
Comment 1 Christian Hoffmann (RETIRED) gentoo-dev 2008-11-17 17:22:44 UTC
So.. waiting for new information / upstream reactions. No idea whether they've been contacted yet...
Comment 2 k`sOSe 2008-11-18 11:21:43 UTC
(In reply to comment #1)
> So.. waiting for new information / upstream reactions. No idea whether they've
> been contacted yet...
> 

Opera has been informed in early october
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2008-11-18 17:25:26 UTC
Steps to reproduce:

$ lynx -dont_wrap_pre -dump 'http://www.milw0rm.com/exploits/7135' > /keeps/gentoo/bugs/247229/7135.html
$ opera /keeps/gentoo/bugs/247229/7135.html
ERROR: ld.so: object 'libjvm.so' from LD_PRELOAD cannot be preloaded: ignored.
ERROR: ld.so: object 'libawt.so' from LD_PRELOAD cannot be preloaded: ignored.
NPP_GetValue(1)
NPP_GetMIMEDescription()
NPP_GetValue(1)
NPP_GetValue(2)
Segmentation fault
$ _
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2008-11-18 17:37:40 UTC
Tue Nov 18 18:37:08 CET 2008
Portage 2.2_rc14 (default/linux/x86/2008.0/desktop, gcc-4.1.2, glibc-2.6.1-r0, 2.6.25-gentoo-r7-JeR i686)
=================================================================
System uname: Linux-2.6.25-gentoo-r7-JeR-i686-AMD_Athlon-tm-_XP_2500+-with-glibc2.0
Timestamp of tree: Tue, 18 Nov 2008 05:15:01 +0000
distcc 2.18.3 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled]
ccache version 2.4 [disabled]
app-shells/bash:     3.2_p33
dev-java/java-config: 1.3.7, 2.1.6
dev-lang/python:     2.5.2-r7
dev-util/ccache:     2.4-r7
sys-apps/baselayout: 1.12.11.1
sys-apps/sandbox:    1.2.18.1-r2
sys-devel/autoconf:  2.13, 2.61-r2
sys-devel/automake:  1.5, 1.7.9-r1, 1.9.6-r2, 1.10.1-r1
sys-devel/binutils:  2.18-r3
sys-devel/gcc-config: 1.4.0-r4
sys-devel/libtool:   1.5.26
virtual/os-headers:  2.6.23-r3
ACCEPT_KEYWORDS="x86"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -pipe -march=athlon-xp"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/X11/app-defaults/XTerm /usr/share/X11/app-defaults/XTerm-color"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/revdep-rebuild /etc/terminfo /etc/udev/rules.d"
CXXFLAGS="-O2 -pipe -march=athlon-xp"
DISTDIR="/keeps/gentoo/distfiles"
FEATURES="autoaddcvs buildpkg cvs distlocks fixpackages notitles parallel-fetch preserve-libs protect-owned sandbox sfperms splitdebug strict unmerge-orphans userfetch"
GENTOO_MIRRORS="http://ftp.snt.utwente.nl/pub/os/linux/gentoo http://gentoo.tiscali.nl/ http://mirror.muntinternet.net/pub/gentoo/ "
LC_ALL="en_US.UTF-8"
LDFLAGS="-Wl,-O1"
LINGUAS="en en_GB nl"
MAKEOPTS="-j3"
PKGDIR="/keeps/gentoo/packages/astrid"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/keeps/gentoo/portage"
PORTDIR_OVERLAY="/keeps/gentoo/local"
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
USE="3dnow 3dnowext X a52 aac aalib acpi alsa asf audiofile bash-completion berkdb bl bluetooth boost branding bzip2 cairo cdda cddb cdio cdparanoia cdr chroot cli cpudetection cracklib crypt cscope css cups curl custom-cflags dga dillo divx dri dv dvd dvdr dvdread edl eds elf emboss encode evo fame fbcon ffmpeg flac flash fontforge foomaticdb fortran freetype gdbm ggi gif gimpprint glib glitz glut gmedia gnokii gnutls gpm gs gstreamer gtk gtk2 iconv idn imagemagick imlib inkjar ipv6 isdnlog jingle jpeg kde lcms libcaca libnotify libsamplerate live lm_sensors logrotate lzo mad matroska midi mikmod mjpeg mmx mng modplug mozilla mozsvg mozxmlterm mp3 mpeg mplayer mudflap musepack ncurses nethack network nls nptl nptlonly nsplugin offensive ogg opengl openmp optimisememory pam pcre pda pdf perl physfs plotutils png ppds pppd pulseaudio python quicktime readline realmedia reflection rtc rtsp ruby samba screenshot sdl server session sftplogging shout skins smux snmp speex spell spl sse sse2 sse3 ssl startup-notification stream svg sysfs syslog tcpd test tetex tga theora threads tiff truetype unicode upnp usb userlocales utils v4l v4l2 vcd vidix vlm vorbis win32codecs winbind wmp x86 xanim xml xml2 xorg xosd xulrunner xv xvid xvmc zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev wacom" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en en_GB nl" USERLAND="GNU" VIDEO_CARDS="nvidia"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LANG, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2008-11-18 18:18:45 UTC
Btw, the segfault seems to suggest that an entirely unhardened Linux is coping quite well here - I see opera sucking up an enormous amount of memory and then segfaulting (probably some missing malloc check).
Comment 6 Christian Hoffmann (RETIRED) gentoo-dev 2008-11-19 09:48:58 UTC
jer, could you also try remotely please? Maybe the "local" in milw0rm's title really means that the exploit code needs to be on the local machine already, which would make this issue much less important, imo.
Comment 7 Christian Hoffmann (RETIRED) gentoo-dev 2008-11-19 14:09:15 UTC
(In reply to comment #6)
> jer, could you also try remotely please? Maybe the "local" in milw0rm's title
> really means that the exploit code needs to be on the local machine already,
> which would make this issue much less important, imo.

Secunia confirms that this can only be exploited locally.
http://secunia.com/advisories/32752/
Comment 8 Stefan Behte (RETIRED) gentoo-dev Security 2008-11-19 14:36:28 UTC
Re-rating as B3.
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2008-11-19 16:13:48 UTC
(In reply to comment #7)
> (In reply to comment #6)
> > jer, could you also try remotely please? Maybe the "local" in milw0rm's title
> > really means that the exploit code needs to be on the local machine already,
> > which would make this issue much less important, imo.
> 
> Secunia confirms that this can only be exploited locally.
> http://secunia.com/advisories/32752/

The advisory header actually says "Where: From remote" but I guess that's some kind of oversight. I uploaded the code to dev.g.o/~jer/* and loaded that in Opera, but instead of the reproduceable segfault all I got was an idling page...
Comment 10 Stefan Behte (RETIRED) gentoo-dev Security 2008-11-21 14:37:52 UTC
CVE-2008-5178 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5178):
  Heap-based buffer overflow in Opera 9.62 on Windows allows remote
  attackers to execute arbitrary code via a long file:// URI.

Comment 11 Christian Hoffmann (RETIRED) gentoo-dev 2008-12-16 12:14:57 UTC
opera-9.63 released, which fixes this issue along with others.
Jeroen, please bump.

No idea about CVEs except for the initial issue.


Quoting the ChangeLog [1]

* Manipulating text input contents can allow execution of arbitrary code, as
  reported by Red XIII [2]

* HTML parsing flaw can cause Opera to execute arbitrary code, as reported by
  Alexios Fakos [3]

* Long hostnames in file: URLs can cause execution of arbitrary code, as
  reported by Vitaly McLain. [4]

* Script injection in feed preview can reveal contents of unrelated news feeds,
  as reported by David Bloom. [5]

* Built-in XSLT templates can allow cross-site scripting, as reported by Robert
  Swiecki of the Google Security Team. [6]

* Fixed an issue that could reveal random data, as reported by Matthew of
  Hispasec Sistemas. Details will be disclosed at a later date.

* SVG images embedded using <img> tags can no longer execute Java or plugin
  content, suggested by Chris Evans.

[1] http://www.opera.com/docs/changelogs/linux/963/
[2] http://www.opera.com/support/search/view/920/
[3] http://www.opera.com/support/search/view/921/
[4] http://www.opera.com/support/search/view/922/
[5] http://www.opera.com/support/search/view/923/
[6] http://www.opera.com/support/search/view/924/
Comment 12 Jeroen Roovers (RETIRED) gentoo-dev 2008-12-16 12:34:48 UTC
*** Bug 251155 has been marked as a duplicate of this bug. ***
Comment 13 Jeroen Roovers (RETIRED) gentoo-dev 2008-12-16 12:53:22 UTC
It's in the tree alright.
Comment 14 Robert Buchholz (RETIRED) gentoo-dev 2008-12-16 13:32:12 UTC
Arches, please test and mark stable:
=www-client/opera-9.63
Target keywords : "amd64 ppc x86"
Comment 15 Kenneth Prugh (RETIRED) gentoo-dev 2008-12-16 20:40:51 UTC
amd64 stable
Comment 16 Tobias Scherbaum (RETIRED) gentoo-dev 2008-12-18 18:35:52 UTC
ppc stable
Comment 17 Markus Meier gentoo-dev 2008-12-20 17:33:19 UTC
x86 stable, all arches done.
Comment 18 Alex Buell 2008-12-21 14:52:13 UTC
I've just discovered Opera 9.63 is now available for SPARC platforms. Could it be unmasked and tested as unstable? 
Comment 19 Tobias Heinlein (RETIRED) gentoo-dev 2008-12-21 20:17:17 UTC
GLSA request filed.
Comment 20 Jeroen Roovers (RETIRED) gentoo-dev 2008-12-22 06:19:56 UTC
(In reply to comment #18)
> I've just discovered Opera 9.63 is now available for SPARC platforms. Could it
> be unmasked and tested as unstable? 

1) That's not related to this bug and you ought to have filed a new bug report.
2) It's only available for solaris[1], which isn't supported in the Portage tree.

[1] http://ftp.opera.com/pub/opera/unix/solaris/963/final/en/sparc/
Comment 21 Tobias Heinlein (RETIRED) gentoo-dev 2009-03-09 23:17:58 UTC
(In reply to comment #10)
> CVE-2008-5178 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5178):
>   Heap-based buffer overflow in Opera 9.62 on Windows allows remote
>   attackers to execute arbitrary code via a long file:// URI.
> 

"on Windows": Only the CVE says windows-only. Neither the upstream advisory nor secunia say it's windows-only. Jer, could you please check whether we are affected by this one or not?
Comment 22 Jeroen Roovers (RETIRED) gentoo-dev 2009-03-10 05:30:10 UTC
(In reply to comment #21)
> Jer, could you please check whether we are
> affected by this one or not?

Comment #9?
Comment 23 Tobias Heinlein (RETIRED) gentoo-dev 2009-03-16 23:56:48 UTC
GLSA 200903-30, thanks everyone.