| Summary: | www-client/opera: 8.51 is out with security fix | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Gentoo Security | Reporter: | ollonois <ollonois> | ||||||
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||||
| Status: | RESOLVED FIXED | ||||||||
| Severity: | normal | CC: | bugreports, jer, lanius | ||||||
| Priority: | High | ||||||||
| Version: | unspecified | ||||||||
| Hardware: | All | ||||||||
| OS: | Linux | ||||||||
| URL: | http://www.opera.com/docs/changelogs/linux/851/ | ||||||||
| Whiteboard: | C2? [glsa] | ||||||||
| Package list: | Runtime testing required: | --- | |||||||
| Attachments: |
|
||||||||
Please, make Bug 113237 public. It's announced at http://secunia.com/advisories/16907/ - can't see any reason why this should not be public here. "The vulnerability is caused due to the shell script used to launch Opera parsing shell commands that are enclosed within backticks in the URL provided via the command line. This can e.g. be exploited to execute arbitrary shell commands by tricking a user into following a malicious link in an external application which uses Opera as the default browser." Ccing maintainer. Created attachment 73390 [details]
opera-8.51.ebuild
(In reply to comment #3) > Created an attachment (id=73390) [edit] > opera-8.51.ebuild > Oops. Patch files/opera-qt.2.patch fails.. Created attachment 73392 [details]
opera-8.51.ebuild
Patch doesn't apply it seems... Not Qt workaround (qtrc) appears in the opera
script at all. And 8.51 works fine without it.
I currently have no possibility to commit anything. (In reply to comment #6) > I currently have no possibility to commit anything. I can do it if you approve that ebuild... (In reply to comment #7) > (In reply to comment #6) > > I currently have no possibility to commit anything. > > I can do it if you approve that ebuild... > On second thoughts, I assume your comment means you wanted it commited, so it's in CVS now... Arches please test and mark stable. sparc stable. stable on amd64 *** Bug 113237 has been marked as a duplicate of this bug. *** x86 stable. Not stable yet. Ebuild must be fixed: # USE=static emerge -v opera [some 404 not found errors on some mirrors] !!! Digest verification Failed: !!! /usr/portage/distfiles/opera-8.51-20051114.1-static-qt.i386-en.tar.bz2 !!! Reason: Filesize does not match recorded size (using x86 arch) The archives in the digest and those on the opera mirrors don't match indeed. I didn't notice as I was using the shared version. I've contacted opera in a bug report regarding the matter to verify it's our issue and not a corrupted archive on their site (hackers :/). Once I get a response I'll update this bug from there. Can an Opera user double-check that we are indeed affected ? There was a similar thing for Firefox but our Gentoo-specific wrapper made us unaffected. I don't want to issue a GLSA while we don't have the vulnerability :) LOL!!! (In reply to comment #17) > LOL!!! > > This is not a forum, please refrain from such useless comments next time. Thank you. I think http://bugs.gentoo.org/show_bug.cgi?id=113330#c3 has a quite good explanation for ebuild problem. digests fixed, x86 marked stable still. Marked ppc stable. All stable. Let's verify wether our wrapper script is affected too before taking any GLSA decision. Any Opera user could check if we are vulnerable to this ? lanius: could you confirm if we use the common Opera wrapper, which would make us vulnerable to this flaw ? we use the common wrapper I tend to vote yes. I tend to vote YES too. So let's do a GLSA. GLSA 200512-10 |
Updated Opera's wrapper script to not run commands included with URLs passed from other applications. Vulnerability reported in Secunia Advisory 16907. * Note that the update also modifies behavior for passed URLs, which will no longer work if quoted. That is, openURL(www.example.com) will work, openURL('www.example.com') will not. Reproducible: Always Steps to Reproduce: 1. 2. 3.