Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 235298

Summary: www-client/opera < 9.52 Multiple vulnerabilities (CVE-2008-{4195,4196,4197,4198,4199,4200,4292})
Product: Gentoo Security Reporter: Jeroen Roovers (RETIRED) <jer>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor    
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
URL: http://www.opera.com/docs/changelogs/linux/952/
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---

Description Jeroen Roovers (RETIRED) gentoo-dev 2008-08-20 14:59:27 UTC
Ignoring bug #195386 and bug #231830 for the moment, we're almost ready to stabilise.

* Sites can no longer change framed content on other sites: see our advisory[1]
* Fixed an issue that could allow cross-site scripting, as reported by Chris
Weber of Casaba Security: details will be disclosed at a later date
* Custom shortcuts no longer pass the wrong parameters to applications, as
reported by Michael A. Puls II: see our advisory[2]
* Prevented insecure pages from showing incorrect security information, as
reported by Lars Kleinschmidt: see our advisory[3]
* Feed links can no longer link to local files: see our advisory[4]
* Feed subscription can no longer cause the wrong page address to be displayed:
see our advisory[5]

[1] http://www.opera.com/support/search/view/893/
[2] http://www.opera.com/support/search/view/894/
[3] http://www.opera.com/support/search/view/895/
[4] http://www.opera.com/support/search/view/896/
[5] http://www.opera.com/support/search/view/897/
Comment 1 Jeroen Roovers (RETIRED) gentoo-dev 2008-08-20 15:06:51 UTC
An ebuild is in the tree and the package.mask entry has been removed. Feel free to proceed with stabilisation.
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2008-08-20 22:34:15 UTC
Arches, please test and mark stable:
=www-client/opera-9.52
Target keywords : "amd64 ppc sparc x86"
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2008-08-20 22:38:06 UTC
i know, no sparc :-)
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2008-08-21 21:35:11 UTC
I don't think I can agree to this bug's Severity being "minor".

* Sites can no longer change framed content on other sites [...] - Highly Severe
* Fixed an issue that could allow cross-site scripting [...] - [as yet unknown]
* Custom shortcuts no longer pass the wrong parameters to applications [...] - Moderately Severe
* Prevented insecure pages from showing incorrect security information [...] - Less Severe
* Feed links can no longer link to local files [...] - Less Severe
* Feed subscription can no longer cause the wrong page address to be displayed [...] - Not Severe

The first of them should warrant expedient stabilisation and a matching Severity setting on this bug report.
Comment 5 Dawid Węgliński (RETIRED) gentoo-dev 2008-08-22 00:08:29 UTC
Stable flash stoped working in opera-9.52 here on amd64. :(
Comment 6 Dawid Węgliński (RETIRED) gentoo-dev 2008-08-22 00:25:07 UTC
Okay, had to remerge netscape-flash. :) amd64 stable

I agree about the severity thing. It's much more critical imo.
Comment 7 Dmitriy Amelin 2008-08-22 05:27:02 UTC
Stable on x86
Comment 8 Robert Buchholz (RETIRED) gentoo-dev 2008-08-22 09:37:41 UTC
(In reply to comment #4)
> I don't think I can agree to this bug's Severity being "minor".

The severity is a direct result of the status B3 ('Global service compromise: denial of service, passwords or full database leaks'), please refer to section 3 of the vulnerability treatment policy for details: http://www.gentoo.org/security/en/vulnerability-policy.xml#doc_chap3

Any higher rating (B1/B2) would mean that an attacker could leverage any of these vulnerability to execute code with or without user assistance.
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2008-08-22 17:55:02 UTC
(In reply to comment #7)
> Stable on x86

Please read http://devmanual.gentoo.org/keywording/ to find out what "stable on x86" means in Gentoo parlance.

(In reply to comment #8)
> (In reply to comment #4)
> > I don't think I can agree to this bug's Severity being "minor".
> 
> The severity is a direct result of the status B3 ('Global service compromise:
> denial of service, passwords or full database leaks'), please refer to section
> 3 of the vulnerability treatment policy for details:
> http://www.gentoo.org/security/en/vulnerability-policy.xml#doc_chap3

Ah, I wasn't aware of that. Thanks.
Comment 10 Markus Meier gentoo-dev 2008-08-22 20:57:37 UTC
x86 stable
Comment 11 Tobias Scherbaum (RETIRED) gentoo-dev 2008-08-25 18:28:55 UTC
ppc stable and ready for glsa voting
Comment 12 Jeroen Roovers (RETIRED) gentoo-dev 2008-08-25 19:21:23 UTC
<www-client/opera-9.52 removed from the tree, except where package.masked.
Comment 13 Tobias Heinlein (RETIRED) gentoo-dev 2008-09-02 17:04:12 UTC
I vote YES.
Comment 14 Matt Drew (RETIRED) gentoo-dev 2008-09-08 17:12:04 UTC
I vote yes.
Comment 15 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-09-18 21:48:25 UTC
yes too, request filed.
Comment 16 Robert Buchholz (RETIRED) gentoo-dev 2008-09-24 15:50:14 UTC
CVE-2008-4195 Sites can change framed content on other sites
CVE-2008-4196 cross-site scripting
CVE-2008-4197 Custom shortcuts
CVE-2008-4198 insecure pages show incorrect security information
CVE-2008-4199 Feed links can link to local files
CVE-2008-4200 feed subscription can cause the wrong page address to be displayed
Comment 17 Robert Buchholz (RETIRED) gentoo-dev 2008-09-29 14:58:07 UTC
CVE-2008-4195 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4195):
  Opera before 9.52 does not properly restrict the ability of a framed
  web page to change the address associated with a different frame,
  which allows remote attackers to trigger the display of an arbitrary
  address in a frame via unspecified use of web script.

CVE-2008-4196 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4196):
  Cross-site scripting (XSS) vulnerability in Opera before 9.52 allows
  remote attackers to inject arbitrary web script or HTML via
  unspecified vectors.

CVE-2008-4197 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4197):
  Opera before 9.52 on Windows, Linux, FreeBSD, and Solaris, when
  processing custom shortcut and menu commands, can produce argument
  strings that contain uninitialized memory, which might allow
  user-assisted remote attackers to execute arbitrary code or conduct
  other attacks via vectors related to activation of a shortcut.

CVE-2008-4198 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4198):
  Opera before 9.52, when rendering an http page that has loaded an
  https page into a frame, displays a padlock icon and offers a
  security information dialog reporting a secure connection, which
  might allow remote attackers to trick a user into performing unsafe
  actions on the http page.

CVE-2008-4199 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4199):
  Opera before 9.52 does not prevent use of links from web pages to
  feed source files on the local disk, which might allow remote
  attackers to determine the validity of local filenames via vectors
  involving "detection of JavaScript events and appropriate
  manipulation."

CVE-2008-4200 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4200):
  Opera before 9.52 does not ensure that the address field of a news
  feed represents the feed's actual URL, which allows remote attackers
  to change this field to display the URL of a page containing web
  script controlled by the attacker.

CVE-2008-4292 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4292):
  Opera before 9.52 does not check the CRL override upon encountering a
  certificate that lacks a CRL, which has unknown impact and attack
  vectors.  NOTE: it is not clear whether this is a vulnerability, but
  the vendor included it in a security section of the advisory.

Comment 18 Tobias Heinlein (RETIRED) gentoo-dev 2008-11-03 19:01:36 UTC
GLSA 200811-01, thanks everyone and sorry about the delay.