Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 196164

Summary: www-client/opera <9.24 Multiple issues (CVE-2007-{5540,5541})
Product: Gentoo Security Reporter: Marko Steinberger <marko.steinberger>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: normal CC: jer
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B2 [glsa]
Package list:
Runtime testing required: ---

Description Marko Steinberger 2007-10-17 13:02:01 UTC
Version bump for opera. Fixes at least two security issues on Linux.

Reproducible: Always
Comment 1 Christian Faulhammer (RETIRED) gentoo-dev 2007-10-17 13:03:35 UTC

*** This bug has been marked as a duplicate of bug 195386 ***
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2007-10-17 14:12:55 UTC
It's not a duplicate.
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2007-10-17 14:13:47 UTC
Thanks for reporting, Marko.
Comment 4 Jakub Moc (RETIRED) gentoo-dev 2007-10-17 14:16:21 UTC
Fixing screwed bug status...
Comment 5 Jakub Moc (RETIRED) gentoo-dev 2007-10-17 14:16:35 UTC

*** This bug has been marked as a duplicate of bug 195386 ***
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2007-10-17 14:17:09 UTC
Bugzilla sucks.
Comment 7 Jakub Moc (RETIRED) gentoo-dev 2007-10-17 14:18:02 UTC

*** This bug has been marked as a duplicate of bug 195386 ***
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2007-10-17 14:18:18 UTC
Committing the ebuild as we speak.
Comment 9 Robert Buchholz (RETIRED) gentoo-dev 2007-10-17 14:44:39 UTC
This bug is not a duplicate, as the security issues fixed are not the ones in bug 195386:

* Fixed an issue where external news readers and e-mail clients could be used to execute arbitrary code, as reported by Michael A. Puls II.

* Fixed an issue where scripts could overwrite functions on pages from other domains. Issue reported to Opera by David Bloom.

Jeroen, is 9.24 ok for stabling?
Comment 10 Jeroen Roovers (RETIRED) gentoo-dev 2007-10-17 14:56:56 UTC
(In reply to comment #9)
> This bug is not a duplicate, as the security issues fixed are not the ones in
> bug 195386:

Well, they may be...

As for stabilisation, the way it usually goes with Opera is upstream does a security release, I commit an ebuild as soon as possible and then we stabilise it as soon as possible. So yes, we're good to go stable. :)
Comment 11 Robert Buchholz (RETIRED) gentoo-dev 2007-10-17 16:11:02 UTC
Arches, please test and mark stable www-client/opera-9.24
Targets: "amd64 ppc sparc x86"
Comment 12 Christian Faulhammer (RETIRED) gentoo-dev 2007-10-17 18:36:57 UTC
x86 stable
Comment 13 Ferris McCormick (RETIRED) gentoo-dev 2007-10-18 12:09:42 UTC
Sparc done.
Comment 14 Tobias Scherbaum (RETIRED) gentoo-dev 2007-10-18 16:57:58 UTC
ppc stable
Comment 15 Robert Buchholz (RETIRED) gentoo-dev 2007-10-21 00:14:58 UTC
CVE-2007-5540 (
  Unspecified vulnerability in Opera before 9.24 allows remote attackers to
  overwrite functions on pages from other domains and bypass the same-origin
  policy via unknown vectors.

CVE-2007-5541 (
  Unspecified vulnerability in Opera before 9.24, when using an "external"
  newsgroup or e-mail client, allows remote attackers to execute arbitrary
  commands via unknown vectors.
Comment 16 Thomas Anderson (tanderson) (RETIRED) gentoo-dev 2007-10-21 23:51:04 UTC

On amd64 everything is working fine.

Portage (default-linux/amd64/2007.0/desktop, gcc-4.1.2, glibc-2.6.1-r0, 2.6.22-gentoo-r8 x86_64)
System uname: 2.6.22-gentoo-r8 x86_64 AMD Athlon(tm) 64 Processor 3400+
Timestamp of tree: Sun, 21 Oct 2007 01:47:01 +0000
ccache version 2.4 [enabled]
app-shells/bash:     3.2_p17
dev-lang/python:     2.4.4-r5
dev-python/pycrypto: 2.0.1-r6
dev-util/ccache:     2.4-r7
sys-apps/baselayout: 1.12.9-r2
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.61-r1
sys-devel/automake:  1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.18-r1
sys-devel/gcc-config: 1.3.16
sys-devel/libtool:   1.5.24
virtual/os-headers:  2.6.22-r2
CFLAGS="-march=athlon64 -Os -pipe"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo /etc/udev/rules.d"
CXXFLAGS="-march=athlon64 -Os -pipe"
FEATURES="ccache collision-protect distlocks metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict test unmerge-orphans userfetch"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*"
PORTDIR_OVERLAY="/usr/portage/local/kde /overlay /usr/portage/local/kde"
USE="X acl acpi aim alsa amd64 arts berkdb bitmap-fonts branding cairo cli cracklib crypt cups dbus dri dvd dvdread emboss encode esd evo fam firefox fortran gdbm gif gpm gstreamer hal iconv imap ipv6 isdnlog jpeg kde kerberos mad midi mikmod mmx mp3 mpeg mqsli mudflap mysql ncurses nls nptl nptlonly nvidia ogg opengl openmp oss pam pcre pdf perl png pppd python qt3 qt3support quicktime readline reflection sdl session sockets spell spl sqlite3 sse sse2 ssl svg tcpd test tiff truetype truetype-fonts type1-fonts unicode vim vorbis xcomposite xine xml xorg xv zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="nvidia"
Comment 17 Christoph Mende (RETIRED) gentoo-dev 2007-10-22 00:43:21 UTC
amd64 stable
Comment 18 Christian Faulhammer (RETIRED) gentoo-dev 2007-10-22 05:55:40 UTC
Ready for GLSA request
Comment 19 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-10-30 22:19:14 UTC
GLSA 200710-31