Summary: | net-www/opera: 7.54u1 fixes multiple vulnerabilities | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Aarni Honka <aarni.honka> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | jaervosz, lanius |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | All | ||
URL: | http://www.opera.com/support/search/supsearch.dml?index=782 | ||
Whiteboard: | B4 [glsa] jaervosz | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 73871 | ||
Bug Blocks: |
Description
Aarni Honka
2004-12-11 02:14:26 UTC
http://www.opera.com/support/search/supsearch.dml?index=782 Advisory: Opera security advisory 2004-12-10 Platform: All platforms Opera security advisory * Named frames or windows can be hi-jacked by malicious frames or windows. * Periods in the file name and non-breaking spaces in the Content-Type header can make the save/open dialog misleading. A user may be convinced that an executable file is something else, for example a PDF document. * Applets have access to sun.* packages * Liveconnect: com.opera.EcmascriptObject constructor is accessible to Java * Liveconnect reveals the path to the user's home directory. This can make other vulnerabilities easier to exploit. Severity: Moderate/high Vulnerable versions of Opera * 7.54 and earlier Opera's response Security update 7.54u1. 7.54u1 has several security fixes. (Note: Please use the download link on the right hand side of the page.) * Tightened origin check for frames. A side effect of this is that documents not passing the origin check will open in a new page. * Fixed issue reported by Marc Sch http://www.opera.com/support/search/supsearch.dml?index=782 Advisory: Opera security advisory 2004-12-10 Platform: All platforms Opera security advisory * Named frames or windows can be hi-jacked by malicious frames or windows. * Periods in the file name and non-breaking spaces in the Content-Type header can make the save/open dialog misleading. A user may be convinced that an executable file is something else, for example a PDF document. * Applets have access to sun.* packages * Liveconnect: com.opera.EcmascriptObject constructor is accessible to Java * Liveconnect reveals the path to the user's home directory. This can make other vulnerabilities easier to exploit. Severity: Moderate/high Vulnerable versions of Opera * 7.54 and earlier Opera's response Security update 7.54u1. 7.54u1 has several security fixes. (Note: Please use the download link on the right hand side of the page.) * Tightened origin check for frames. A side effect of this is that documents not passing the origin check will open in a new page. * Fixed issue reported by Marc Schönefeld: intrusive JavaScript or Java applet could exploit Sun Java vulnerability to retrieve logged-in user's username and install directory. * Fixed LiveConnect class access security issue reported by Jouko Pynnonen. * Fixed Secunia issue SA12981, reported by Andreas Sandblad: periods in the file name and non-breaking spaces in content-type header type could obscure the file type. * Fixed Secunia issue SA13253: "hi-jacking" a named browser window. * Improved support for the "must-revalidate" cache directive. Credits * Secunia Research * Andreas Sandblad, Secunia Research * Mark Schönefeld * Jouko Pynnonen ___ lanius: pls update to the fixed version added opera-7.54-r1 Thx Heinrich. Arches please mark stable. This also fixes bug #71818 (Java issues). _ _ _ ___| |_ __ _| |__ | | ___ ___ _ __ ___ _ __ __ _ _ __ ___ / __| __/ _` | '_ \| |/ _ \ / _ \| '_ \ / __| '_ \ / _` | '__/ __| \__ \ || (_| | |_) | | __/ | (_) | | | | \__ \ |_) | (_| | | | (__ |___/\__\__,_|_.__/|_|\___| \___/|_| |_| |___/ .__/ \__,_|_| \___| |_| amd64 done Thx Simon. This one is ready for GLSA, Security please vote. I vote yes. Also this seems to fix the Java sandbox problems which are quite critical (bug 71818). Correct. We'll have a GLSA on this one. Note that according to http://secunia.com/advisories/13253/ Opera just partly fixed the windows injection vulnerability. *** Bug 71818 has been marked as a duplicate of this bug. *** Hmmkay... I'm no longer sure this is worth a GLSA (for the moment). What we have fixed here is mostly download scams and info leaks: * Named frames or windows can be hi-jacked by malicious frames or windows. Opera now tightens origin check for frames. [This is http://secunia.com/advisories/13253/ which Secunia says is just partly fixed. This one could be worth a GLSA, but it's not really fixed, so...] * Periods in the file name and non-breaking spaces in the Content-Type header can make the save/open dialog misleading. A user may be convinced that an executable file is something else, for example a PDF document. [This is http://secunia.com/advisories/12981/ . Not sure it's worth a GLSA] * Applets have access to sun.* packages : intrusive JavaScript or Java applet could exploit Sun Java vulnerability to retrieve logged-in user's username and install directory [This is the one that convinced me to issue a GLSA. In fact it's just a small infoleak, not a sandbox bypass, so it's probably not worth a GLSA] * Liveconnect: com.opera.EcmascriptObject constructor is accessible to Java and LiveConnect reveals the path to the user's home directory. [small infoleak] * Improved support for the "must-revalidate" cache directive. [yeah right] We still have two vulnerabilities current, the kfmclient exec Opera/KDE thing (which is rather grave for KDE users) and a complete fix to Secunia's window injection thing. So we have two choices, issuing a "Low" GLSA with what is fixed in 7.54u1 or wait for other fixes to come in. Sie sind verwundbar: class sun.text.Utility Version 7.54 u1 I vote for hold on this one. We should hold this one and wait for new fixes I guess. On hold waiting for more fixes 754u2 is released and in portage GLSA 200502-17 |