Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 373289 (CVE-2011-1337)

Summary: <www-client/opera-11.50.1074: Multiple vulnerabilities (CVE-2010-2665,CVE-2011-{1337,2609,2610,2611,2612,2613,2614,2615,2616,2617,2618,2619,2620,2621,2622,2623,2624,2625,2626,2627,2628,2629,2630,2631,2632,2633,2634,2635,2636,2637,2638,2639,2640,2641})
Product: Gentoo Security Reporter: Jeroen Roovers (RETIRED) <jer>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.opera.com/docs/changelogs/unix/1150/
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---

Description Jeroen Roovers (RETIRED) gentoo-dev 2011-06-28 06:59:39 UTC 
= Security =
 * Improvements *
) Tightened security policies in several locations
) Fixed a moderately severe issue. Details will be disclosed at a later date.
) Fixed an issue where data URIs could be used to initiate cross site scripting 
  against unrelated sites, as reported by Michal Zalewski of the Google Security 
  Team; see our advisory[1].
) Fixed an issue with error pages that could cause a system crash, as reported
  through JPCERT; see our advisory[2].

[1] http://www.opera.com/support/kb/view/995/
[2] http://www.opera.com/support/kb/view/996/

Arch teams, please test and mark stable:
=www-client/opera-11.50.1074
Target KEYWORDS="amd64 x86"
Comment 1 Ian Delaney (RETIRED) gentoo-dev 2011-06-28 10:23:31 UTC 
amd64:

opera seems to not connect to the installed adobe-flash
Otherwise it works
Comment 2 Andreas Schürch gentoo-dev 2011-06-28 11:40:13 UTC 
Tested on x86, looks good over here and even flash is working! :-)
Comment 3 Ian Delaney (RETIRED) gentoo-dev 2011-06-28 11:42:03 UTC 
what's the secret????
Comment 4 Andreas Schürch gentoo-dev 2011-06-28 12:11:26 UTC 
(In reply to comment #3)
> what's the secret????
hehe :-)
I would tend to say that flash in it self is the problem on amd64!? ;-)
Honestly, i don't know and haven't done anything special...
Comment 5 Agostino Sarubbo gentoo-dev 2011-06-28 16:33:58 UTC 
amd64 ok
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2011-06-28 18:26:48 UTC 
(In reply to comment #1)
> amd64:
> 
> opera seems to not connect to the installed adobe-flash

Could be bug #363387 but over there I see three different platforms with perhaps two different issues (the one in the Summary and maybe one other). This isn't the place to have that discussion all over again, even if bug #363387 isn't either.
Comment 7 Markus Meier gentoo-dev 2011-06-29 18:59:37 UTC 
amd64/x86 stable, thanks Ian, Andreas and Agostino. All arches done.
Comment 8 Tim Sammut (RETIRED) gentoo-dev 2011-06-29 21:39:07 UTC 
GLSA Vote: no.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2011-10-08 00:15:24 UTC 
CVE-2011-1337 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1337):
  Opera before 11.50 allows remote attackers to cause a denial of service
  (disk consumption) via invalid URLs that trigger creation of error pages.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2011-10-08 12:37:55 UTC 
CVE-2010-2665 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2665):
  Cross-site scripting (XSS) vulnerability in Opera before 10.54 on Windows
  and Mac OS X, and before 10.11 on UNIX platforms, allows remote attackers to
  inject arbitrary web script or HTML via a data: URI, related to incorrect
  detection of the "opening site."
Comment 11 Stefan Behte (RETIRED) gentoo-dev Security 2011-10-08 22:28:43 UTC 
Vote: YES. Added to pending GLSA request.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2012-06-15 17:41:07 UTC 
This issue was resolved and addressed in
 GLSA 201206-03 at http://security.gentoo.org/glsa/glsa-201206-03.xml
by GLSA coordinator Sean Amoss (ackle).