Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 421075 - <www-client/opera-12.00.1467 - multiple vulnerabilities (CVE-2012-{3555,3556,3557,3558,3560})
Summary: <www-client/opera-12.00.1467 - multiple vulnerabilities (CVE-2012-{3555,3556,...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://www.opera.com/docs/changelogs/...
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2012-06-14 09:42 UTC by Jeroen Roovers (RETIRED)
Modified: 2012-06-15 17:41 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jeroen Roovers (RETIRED) gentoo-dev 2012-06-14 09:42:19 UTC
= Security =
 * Fixed an issue where hidden keyboard navigation could allow cross site
   scripting or code execution, as reported by Jordi Chancel; see our
   advisory[1]
 * Fixed an issue where a combination of clicks and key presses could lead to
   cross site scripting or code execution, as reported by Jordi Chancel; see
   our advisory[2]
 * Fixed an issue where cross-domain JSON resources may be exposed as
   JavaScript variable data; see our advisory[3]
 * Fixed an issue where carefully timed reloads, redirects, and navigation
   could spoof the address field, as reported by Jordi Chancel; see our
   advisory[4]
 * Fixed an issue where pages could prevent navigation to a target page,
   spoofing the address field, as reported by Code Audit Labs of vulnhunt.com;
   see our advisory[5]

[1] http://www.opera.com/support/kb/view/1021/
[2] http://www.opera.com/support/kb/view/1020/
[3] http://www.opera.com/support/kb/view/1019/
[4] http://www.opera.com/support/kb/view/1018/
[5] http://www.opera.com/support/kb/view/1022/

Arch teams, please test and mark stable:
=www-client/opera-12.00.1467
Target KEYWORDS="amd64 x86"
Comment 1 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2012-06-14 10:16:10 UTC
x86:
Compile and run everything fine. Compile with USE flags: also without problems (all RDEPEND  compile is ok). No complaints from repoman.
Please mark stable for x86.
Comment 2 Agostino Sarubbo gentoo-dev 2012-06-14 12:11:19 UTC
amd64 stable
Comment 3 Jeff (JD) Horelick (RETIRED) gentoo-dev 2012-06-14 21:50:50 UTC
x86 stable
Comment 4 Sean Amoss (RETIRED) gentoo-dev Security 2012-06-15 12:00:42 UTC
Thanks, everyone.

Adding to existing GLSA request.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2012-06-15 17:18:32 UTC
CVE-2012-3560 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3560):
  Opera before 11.65 does not ensure that the address field corresponds to the
  displayed web page during blocked navigation, which makes it easier for
  remote attackers to conduct spoofing attacks by detecting and preventing
  attempts to load a different web page.

CVE-2012-3558 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3558):
  Opera before 11.65 does not ensure that the address field corresponds to the
  displayed web page during unusually timed changes to this field, which makes
  it easier for user-assisted remote attackers to conduct spoofing attacks via
  vectors involving navigation, reloads, and redirects.

CVE-2012-3557 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3557):
  Opera before 11.65 does not properly restrict the reading of JSON strings,
  which allows remote attackers to perform cross-domain loading of JSON
  resources and consequently obtain sensitive information via a crafted web
  site.

CVE-2012-3556 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3556):
  Opera before 11.65 does not properly restrict the opening of a pop-up window
  in response to the first click of a double-click action, which makes it
  easier for user-assisted remote attackers to conduct cross-site scripting
  (XSS) attacks or execute arbitrary code via a crafted web site.

CVE-2012-3555 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3555):
  Opera before 11.65 does not ensure that keyboard sequences are associated
  with a visible window, which makes it easier for user-assisted remote
  attackers to conduct cross-site scripting (XSS) attacks or execute arbitrary
  code via a crafted web site, related to a "hidden keyboard navigation"
  issue.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2012-06-15 17:41:41 UTC
This issue was resolved and addressed in
 GLSA 201206-03 at http://security.gentoo.org/glsa/glsa-201206-03.xml
by GLSA coordinator Sean Amoss (ackle).