Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 294208 (CVE-2009-4071)

Summary: <www-client/opera-10.10 Multiple vulnerabilities (CVE-2009-{4071,4072})
Product: Gentoo Security Reporter: Jeroen Roovers (RETIRED) <jer>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal    
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.opera.com/docs/changelogs/unix/1010/
Whiteboard: B2 [glsa]
Package list:
Runtime testing required: ---

Description Jeroen Roovers (RETIRED) gentoo-dev 2009-11-23 15:11:31 UTC 
* Fixed a heap buffer overflow in string to number conversion; see our advisory[1].
* Fixed an issue where error messages could leak onto unrelated sites; see our advisory[2].
* Fixed a moderately severe issue, as reported by Chris Evans of the Google Security Team; details will be disclosed at a later date.

[1] http://www.opera.com/support/search/view/942/
[2] http://www.opera.com/support/search/view/941/
Comment 1 Jeroen Roovers (RETIRED) gentoo-dev 2009-11-23 15:20:03 UTC 
Arch devs, please mark stable:
=www-client/opera-10.10
Target arches: amd64 ppc x86
Comment 2 Christian Faulhammer (RETIRED) gentoo-dev 2009-11-23 20:52:39 UTC 
x86 stable
Comment 3 Markus Meier gentoo-dev 2009-11-25 22:42:40 UTC 
amd64 stable
Comment 4 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-11-26 08:26:16 UTC 
CVE-2009-4071 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4071):
  Opera before 10.10, when exception stacktraces are enabled, places
  scripting error messages from a web site into variables that can be
  read by a different web site, which allows remote attackers to obtain
  sensitive information or conduct cross-site scripting (XSS) attacks
  via unspecified vectors.

CVE-2009-4072 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4072):
  Unspecified vulnerability in Opera before 10.10 has unknown impact
  and attack vectors, related to a "moderately severe issue."
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2009-12-09 18:53:25 UTC 
Stable for PPC. <www-client/opera-10.10 removed.
Comment 6 Stefan Behte (RETIRED) gentoo-dev Security 2009-12-18 02:10:34 UTC 
Added bug to pending CVE.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2012-06-15 17:40:19 UTC 
This issue was resolved and addressed in
 GLSA 201206-03 at http://security.gentoo.org/glsa/glsa-201206-03.xml
by GLSA coordinator Sean Amoss (ackle).