Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 73871

Summary: net-www/opera: Still vulnerable to Window Injection
Product: Gentoo Security Reporter: Sune Kloppenborg Jeppesen (RETIRED) <jaervosz>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: lanius
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
URL: http://secunia.com/advisories/13253/
Whiteboard: B4 [glsa] jaervosz
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 74076    

Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-12-08 23:57:27 UTC
Secunia has reported a window injection vulnerability. Details in URL.
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2004-12-09 01:53:47 UTC
Unconfirmed. Ccing maintainer to confirm / keep track of upstream.
Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-12-09 02:12:28 UTC
Confirmed with Version 7.54 Final Build 751
Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-12-18 03:07:03 UTC
This is fixed by 7.54u1 on bug #74076
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2004-12-21 06:26:55 UTC
According to http://secunia.com/advisories/13253/ Opera just partly fixed the windows injection vulnerability :

---------
The vendor has issued Security update 7.54u1. However, this update only fixes certain attack vectors, but not the vulnerability. Other attack vectors can therefore still be exploited.
---------

I'll reopen this bug as a tracker for the window injection things that may remain. We'll address those fixed in 7.54u1 in bug 74076.
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2004-12-21 06:27:26 UTC
Reopening
Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-02-07 06:52:09 UTC
Opera 7.54u2 has been released to fix this and other problems. Lanius please provide an updated ebuild.
Comment 7 Heinrich Wendel (RETIRED) gentoo-dev 2005-02-08 09:58:32 UTC
bumped to opera-7.54-r2, stable on amd64, x86
Comment 8 Gustavo Zacarias (RETIRED) gentoo-dev 2005-02-09 07:18:56 UTC
sparc stable.
Comment 9 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-02-09 07:42:10 UTC
Please vote on GLSA. I vote YES.

Note that this also fixes (afair):
bug #74076
bug #74321

Changes since 7.54:

Tightened origin check for frames, fixing issue reported in Secunia Advisory 13253. A side effect of this is that documents not passing the origin check will open in a new page.
Fixed issue reported by Marc Sch
Comment 10 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-02-09 07:42:10 UTC
Please vote on GLSA. I vote YES.

Note that this also fixes (afair):
bug #74076
bug #74321

Changes since 7.54:

Tightened origin check for frames, fixing issue reported in Secunia Advisory 13253. A side effect of this is that documents not passing the origin check will open in a new page.
Fixed issue reported by Marc Schönefeld: intrusive JavaScript or Java applet could exploit Sun Java vulnerability to retrieve logged-in user's username and install directory.
Fixed LiveConnect class access security issue reported by Jouko Pynnönen.
Fixed download issue reported by Andreas Sandblad, Secunia Research, described in Secunia Advisory 12981: periods and non-breaking spaces in content-type header type could obscure file type.
Improved support for the "must-revalidate" cache directive.

Changes since 7.54u1:


Security

Solved data URL issue described in Secunia Advisory SA13818
Additional fixes for frame injection issue reported in Secunia Advisory SA13253

Miscellaneous

Improvements to handling of the must-revalidate directive.
Solved stability issue in Japanese version.

UNIX specific

Added extra warning dialog when opening .sh, .desktop or executables directly from Web or from transfer manager with kfmclient exec. Addresses issue reported in Secunia Advisory SA13447.
Fixed crash when importing e-mail.
Comment 11 Thierry Carrez (RETIRED) gentoo-dev 2005-02-09 09:08:37 UTC
I agree on YES.
Comment 12 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-02-14 11:40:07 UTC
GLSA 200502-17