332449 – <www-client/opera-10.61: Multiple vulnerabilities (CVE-2010-{2421,2455,2576,2658,2659,2660,2661,2662,3019,3020,3021},CVE-2011-1824)

Bug 332449 - <www-client/opera-10.61: Multiple vulnerabilities (CVE-2010-{2421,2455,2576,2658,2659,2660,2661,2662,3019,3020,3021},CVE-2011-1824)

Summary: <www-client/opera-10.61: Multiple vulnerabilities (CVE-2010-{2421,2455,2576,2...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Gentoo Security

URL:	http://www.opera.com/docs/changelogs/...
Whiteboard:	B2 [glsa]
Keywords:

Depends on:
Blocks:

Reported:	2010-08-12 15:49 UTC by Jeroen Roovers (RETIRED)
Modified:	2012-06-15 17:40 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jeroen Roovers (RETIRED) gentoo-dev

2010-08-12 15:49:31 UTC

Arch teams, please test and mark stable:
=www-client/opera-10.61
Target KEYWORDS="amd64 ppc x86 "
 * Arches to go stable: - 3 -

* Fixed an issue where heap buffer overflow in HTML5 canvas could be used to execute arbitrary code, as reported by Kuzzcc; see our advisory[1].
* Fixed an issue where unexpected changes in tab focus could be used to run programs from the Internet, as reported by Jakob Balle and Sven Krewitt of Secunia; see our advisory[2].
* Fixed an issue where news feed preview could subscribe to feeds without interaction, as reported by Alexios Fakos; see our advisory[3].

[1] http://www.opera.com/support/search/view/966/
[2] http://www.opera.com/support/search/view/967/
[3] http://www.opera.com/support/search/view/968/

Comment 1 Markos Chandras (RETIRED) gentoo-dev

2010-08-12 16:58:12 UTC

amd64 done

Comment 2 Christian Faulhammer (RETIRED) gentoo-dev

2010-08-12 20:37:39 UTC

x86 stable

Comment 3 Joe Jezak (RETIRED) gentoo-dev

2010-08-13 12:13:56 UTC

Marked ppc stable.

Comment 4 Tim Sammut (RETIRED) gentoo-dev

2010-11-19 07:16:57 UTC

GLSA with 283391.

Comment 5 GLSAMaker/CVETool Bot gentoo-dev

2011-06-14 09:19:18 UTC

CVE-2011-1824 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1824):
  The VEGAOpBitmap::AddLine function in Opera before 10.61 does not properly
  initialize memory during processing of the SIZE attribute of a SELECT
  element, which allows remote attackers to trigger an invalid memory write
  operation, and consequently cause a denial of service (application crash) or
  possibly execute arbitrary code, via a large integer attribute value.

Comment 6 GLSAMaker/CVETool Bot gentoo-dev

2011-10-08 00:59:04 UTC

CVE-2010-2576 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2576):
  Opera before 10.61 does not properly suppress clicks on download dialogs
  that became visible after a recent tab change, which allows remote attackers
  to conduct clickjacking attacks, and consequently execute arbitrary code,
  via vectors involving (1) closing a tab or (2) hiding a tab, a related issue
  to CVE-2005-2407.

Comment 7 GLSAMaker/CVETool Bot gentoo-dev

2011-10-08 12:21:22 UTC

CVE-2010-3021 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3021):
  Unspecified vulnerability in Opera before 10.61 allows remote attackers to
  cause a denial of service (CPU consumption and application hang) via an
  animated PNG image.

CVE-2010-3019 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3019):
  Heap-based buffer overflow in Opera before 10.61 allows remote attackers to
  execute arbitrary code or cause a denial of service (application crash or
  hang) via vectors related to HTML5 canvas painting operations that occur
  during the application of transformations.

Comment 8 GLSAMaker/CVETool Bot gentoo-dev

2012-06-15 17:40:47 UTC

This issue was resolved and addressed in
 GLSA 201206-03 at http://security.gentoo.org/glsa/glsa-201206-03.xml
by GLSA coordinator Sean Amoss (ackle).