Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 81747

Summary: net-www/opera: default plugin search path includes untrusted directory
Product: Gentoo Security Reporter: Tavis Ormandy (RETIRED) <taviso>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: lanius
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
Whiteboard: A2 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 81745    

Description Tavis Ormandy (RETIRED) gentoo-dev 2005-02-12 08:40:23 UTC 
$ tail /opt/opera/share/opera/ini/pluginpath.ini
/usr/lib/netscape/plugins=1
/usr/local/netscape/plugins=1
/usr/local/lib/netscape/plugins=1
$HOME/.kde/.konqueror/nsplugins=1

; Since Mozilla supports NS plugins, there might
; be some in the Mozilla plugin directory.
/usr/lib/mozilla/plugins=1
/usr/X11R6/lib/mozilla/plugins=1
/var/tmp/portage/opera-7.54-r1/image//opt/opera/lib/opera/plugins


/var/tmp/portage (or $PORTAGE_TMPDIR) is an untrusted directory writable by users in group portage (or, if PORTAGE_TMPDIR is different than the build host's or has changed since building, all sers may be able to write there).

This is exploitable by dropping shared libraries into the directory, which opera will load on stating.

example:
$ mkdir -p /var/tmp/portage/opera-7.54-r1/image//opt/opera/lib/opera/plugins
$ gcc -shared rpath.c -o /var/tmp/portage/opera-7.54-r1/image//opt/opera/lib/opera/plugins/DO-NOT-LOAD-ME\!\!.so
$ opera
exploit code now in control!
Comment 1 Tavis Ormandy (RETIRED) gentoo-dev 2005-02-13 12:22:55 UTC 
adding this sed to the existing install.sh sed's in src_unpack() fixes it:

"s:\(str_localdirplugin=\).*$:\1/opt/opera/lib/opera/plugins:"
Comment 2 Heinrich Wendel (RETIRED) gentoo-dev 2005-02-14 04:30:02 UTC 
now in portage as 7.54-r3, stable on all previous arches, since it's only a config path fix
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2005-02-14 04:35:53 UTC 
Should be included in the soon-to-be-released opera GLSA.
Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-02-14 11:40:31 UTC 
GLSA 200502-17