Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 381275 (CVE-2011-3388) - <www-client/opera-11.51.1087 - Unsecured web content may appear to be secure or trusted through Extended Validation (CVE-2011-{3388,3389})
Summary: <www-client/opera-11.51.1087 - Unsecured web content may appear to be secure ...
Status: RESOLVED FIXED
Alias: CVE-2011-3388
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL: https://secunia.com/advisories/45791/
Whiteboard: B4 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-08-31 12:01 UTC by Agostino Sarubbo
Modified: 2012-06-15 17:41 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2011-08-31 12:01:48 UTC 
From secunia security advisor at $URL:

Description:
1) An error when loading content can be exploited to cause Opera to display the security information of e.g. a trusted or secure website instead of the actual, untrusted website by loading and manipulating content in a certain sequence.

2) An unspecified error exists. No more information is currently available.

Solution:
Update to version 11.51.
Comment 1 Jeroen Roovers (RETIRED) gentoo-dev 2011-08-31 15:32:27 UTC 
Arch teams, please test and mark stable:
=www-client/opera-11.51.1087
Target KEYWORDS="amd64 x86"
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2011-08-31 15:44:00 UTC 
http://www.opera.com/support/kb/view/1000/

== Unsecured web content may appear to be secure or trusted
       through Extended Validation ==

= Severity =
High

= Description =
Insecure sites should be shown in the address field as insecure (displayed as "Web" in the address field). When certain content is loaded and manipulated in a specific sequence, it can cause Opera to display the security information from the loaded resources in the address field and page information dialog. This allows a malicious page to display the security information from a secure or trusted third party, instead of its own security information.
Comment 3 Agostino Sarubbo gentoo-dev 2011-08-31 17:09:19 UTC 
Adding severity=4 per Tim's suggestion.

amd64 ok
Comment 4 Elijah "Armageddon" El Lazkani (amd64 AT) 2011-08-31 17:43:03 UTC 
amd64: pass
Comment 5 Tony Vroon (RETIRED) gentoo-dev 2011-09-01 14:23:41 UTC 
+  01 Sep 2011; Tony Vroon <chainsaw@gentoo.org> opera-11.51.1087.ebuild:
+  Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo &
+  Elijah "Armageddon" El Lazkani in security bug #381275.
Comment 6 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-09-04 00:50:47 UTC 
x86 stable
Comment 7 Agostino Sarubbo gentoo-dev 2011-09-04 00:53:05 UTC 
Thanks all, adding glsa vote.
Comment 8 Tim Sammut (RETIRED) gentoo-dev 2011-09-04 03:18:58 UTC 
Thanks, folks. GLSA Vote: no.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2011-10-08 00:16:41 UTC 
CVE-2011-3388 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3388):
  Opera before 11.51 allows remote attackers to cause an insecure site to
  appear secure or trusted via unspecified actions related to Extended
  Validation and loading content from trusted sources in an unspecified
  sequence that causes the address field and page information dialog to
  contain security information based on the trusted site, instead of the
  insecure site.
Comment 10 Stefan Behte (RETIRED) gentoo-dev Security 2011-10-08 21:10:39 UTC 
Added to pending GLSA request.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2012-06-15 17:41:13 UTC 
This issue was resolved and addressed in
 GLSA 201206-03 at http://security.gentoo.org/glsa/glsa-201206-03.xml
by GLSA coordinator Sean Amoss (ackle).