Updated Opera's wrapper script to not run commands included with URLs passed
from other applications. Vulnerability reported in Secunia Advisory 16907.
* Note that the update also modifies behavior for passed URLs, which will no
longer work if quoted. That is, openURL(www.example.com) will work,
openURL('www.example.com') will not.
Steps to Reproduce:
Please, make Bug 113237 public. It's announced at
http://secunia.com/advisories/16907/ - can't see any reason why this should not
be public here.
"The vulnerability is caused due to the shell script used to launch Opera
parsing shell commands that are enclosed within backticks in the URL provided
via the command line. This can e.g. be exploited to execute arbitrary shell
commands by tricking a user into following a malicious link in an external
application which uses Opera as the default browser."
Created attachment 73390 [details]
(In reply to comment #3)
> Created an attachment (id=73390) 
Oops. Patch files/opera-qt.2.patch fails..
Created attachment 73392 [details]
Patch doesn't apply it seems... Not Qt workaround (qtrc) appears in the opera
script at all. And 8.51 works fine without it.
I currently have no possibility to commit anything.
(In reply to comment #6)
> I currently have no possibility to commit anything.
I can do it if you approve that ebuild...
(In reply to comment #7)
> (In reply to comment #6)
> > I currently have no possibility to commit anything.
> I can do it if you approve that ebuild...
On second thoughts, I assume your comment means you wanted it commited, so it's
in CVS now...
Arches please test and mark stable.
stable on amd64
*** Bug 113237 has been marked as a duplicate of this bug. ***
Not stable yet. Ebuild must be fixed:
# USE=static emerge -v opera
[some 404 not found errors on some mirrors]
!!! Digest verification Failed:
!!! Reason: Filesize does not match recorded size
(using x86 arch)
The archives in the digest and those on the opera mirrors don't match indeed. I
didn't notice as I was using the shared version. I've contacted opera in a bug
report regarding the matter to verify it's our issue and not a corrupted archive
on their site (hackers :/). Once I get a response I'll update this bug from
Can an Opera user double-check that we are indeed affected ?
There was a similar thing for Firefox but our Gentoo-specific wrapper made us
unaffected. I don't want to issue a GLSA while we don't have the vulnerability :)
(In reply to comment #17)
This is not a forum, please refrain from such useless comments next time. Thank
I think http://bugs.gentoo.org/show_bug.cgi?id=113330#c3 has a quite good
explanation for ebuild problem.
digests fixed, x86 marked stable still.
Marked ppc stable.
All stable. Let's verify wether our wrapper script is affected too before
taking any GLSA decision.
Any Opera user could check if we are vulnerable to this ?
lanius: could you confirm if we use the common Opera wrapper, which would make
us vulnerable to this flaw ?
we use the common wrapper
I tend to vote yes.
I tend to vote YES too.
So let's do a GLSA.