Comment 1 Thierry Carrez (RETIRED) 2004-12-09 01:53:47 UTC

Unconfirmed. Ccing maintainer to confirm / keep track of upstream.

Comment 2 Sune Kloppenborg Jeppesen (RETIRED) 2004-12-09 02:12:28 UTC

Confirmed with Version 7.54 Final Build 751

Comment 3 Sune Kloppenborg Jeppesen (RETIRED) 2004-12-18 03:07:03 UTC

This is fixed by 7.54u1 on bug #74076

Comment 4 Thierry Carrez (RETIRED) 2004-12-21 06:26:55 UTC

According to http://secunia.com/advisories/13253/ Opera just partly fixed the windows injection vulnerability :

---------
The vendor has issued Security update 7.54u1. However, this update only fixes certain attack vectors, but not the vulnerability. Other attack vectors can therefore still be exploited.
---------

I'll reopen this bug as a tracker for the window injection things that may remain. We'll address those fixed in 7.54u1 in bug 74076.

Comment 5 Thierry Carrez (RETIRED) 2004-12-21 06:27:26 UTC

Reopening

Comment 6 Sune Kloppenborg Jeppesen (RETIRED) 2005-02-07 06:52:09 UTC

Opera 7.54u2 has been released to fix this and other problems. Lanius please provide an updated ebuild.

Comment 7 Heinrich Wendel (RETIRED) 2005-02-08 09:58:32 UTC

bumped to opera-7.54-r2, stable on amd64, x86

Comment 8 Gustavo Zacarias (RETIRED) 2005-02-09 07:18:56 UTC

sparc stable.

Comment 9 Sune Kloppenborg Jeppesen (RETIRED) 2005-02-09 07:42:10 UTC

Please vote on GLSA. I vote YES.

Note that this also fixes (afair):
bug #74076
bug #74321

Changes since 7.54:

Tightened origin check for frames, fixing issue reported in Secunia Advisory 13253. A side effect of this is that documents not passing the origin check will open in a new page.
Fixed issue reported by Marc Sch

Comment 10 Sune Kloppenborg Jeppesen (RETIRED) 2005-02-09 07:42:10 UTC

Please vote on GLSA. I vote YES.

Note that this also fixes (afair):
bug #74076
bug #74321

Changes since 7.54:

Tightened origin check for frames, fixing issue reported in Secunia Advisory 13253. A side effect of this is that documents not passing the origin check will open in a new page.
Fixed issue reported by Marc Schönefeld: intrusive JavaScript or Java applet could exploit Sun Java vulnerability to retrieve logged-in user's username and install directory.
Fixed LiveConnect class access security issue reported by Jouko Pynnönen.
Fixed download issue reported by Andreas Sandblad, Secunia Research, described in Secunia Advisory 12981: periods and non-breaking spaces in content-type header type could obscure file type.
Improved support for the "must-revalidate" cache directive.

Changes since 7.54u1:


Security

Solved data URL issue described in Secunia Advisory SA13818
Additional fixes for frame injection issue reported in Secunia Advisory SA13253

Miscellaneous

Improvements to handling of the must-revalidate directive.
Solved stability issue in Japanese version.

UNIX specific

Added extra warning dialog when opening .sh, .desktop or executables directly from Web or from transfer manager with kfmclient exec. Addresses issue reported in Secunia Advisory SA13447.
Fixed crash when importing e-mail.

Comment 11 Thierry Carrez (RETIRED) 2005-02-09 09:08:37 UTC

I agree on YES.

Comment 12 Sune Kloppenborg Jeppesen (RETIRED) 2005-02-14 11:40:07 UTC

GLSA 200502-17