Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 185497 - www-client/opera < 9.22 - multiple vulnerabilities
Summary: www-client/opera < 9.22 - multiple vulnerabilities
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa] p-y
Depends on:
Reported: 2007-07-16 06:24 UTC by Jeroen Roovers (RETIRED)
Modified: 2011-10-30 22:40 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Jeroen Roovers (RETIRED) gentoo-dev 2007-07-16 06:24:15 UTC
I cannot seem to reproduce this flaw with either
 ~www-client/opera-9.21 or
 ~www-client/opera-9.22.652 using the
<> example, but this bug may in due time turn out to be the 9.22 stabilisation bug, so it's useful to have around anyway.

From: Robert Swiecki <jagger@xxxxxxxxxxx>
Date: Sat, 14 Jul 2007 01:50:49 +0200
With a specially crafted web page, an attacker can redirect
a www browser to the page, which URL (in the url bar) resembles
an arbitrary domain choosen by the attacker.

It's possible due to the fact, that some web browsers incorrectly
display contents of the url bar while rendering pages based on the
'data:' URL scheme (RFC 2397). Only the ending of the URL is
displayed. Padding the URL with whitespaces allows an attacker to
insert an arbitrary content into the browser url bar.

Tested with:
* Opera 9.21 on Win 2003SE and Win XPSP2
* Opera 9.21 on Linux
* Konqueror 3.5.7 on Linux

Pictures taken on my systems (using 1024x768 dekstop resolution)

Successfull attack depends on the proper construction of the
'data:' URL. An algorithm could utilize JS
document.body.clientWidth/Height properties to calculate the
best url padding for the given browser.

PS. Sometimes Opera web browser displays the beggining of
the 'data:' URL (correct behaviour), e.g. during
browser startup with immediate redirect to the last visited page.

Robert Swiecki
Comment 1 Jeroen Roovers (RETIRED) gentoo-dev 2007-07-19 17:38:09 UTC says:

* Fixed an issue that could occur when removing a specially prepared torrent transfer, as reported by iDefense. See the advisory[1].

* Fixed a data leak issue when using canvas.createPattern, as reported by Philip Taylor. See the advisory[2].

* Prevented an issue where data URLs could be used to display the wrong address in the address bar. See the advisory[3].

* Improved the display of long domain names in authentication dialogs. Long domain names will now scroll instead of using ellipsis. See the advisory[4].

* Added Trustcenter class 3 G2 root certificate.

* Fixes for a problem with certificate import from PKCS #7 Signed and Netscape Multicert files.

www-client/opera/opera-9.22.ebuild is in the tree!

Comment 2 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-07-20 07:39:14 UTC
Thanks Jeroen.
Arches, please test and mark stable. Targt keywords are:
opera-9.22.ebuild:KEYWORDS="amd64 ppc sparc x86 ~x86-fbsd"
Comment 3 Gustavo Zacarias (RETIRED) gentoo-dev 2007-07-20 13:16:40 UTC
sparc stable.
Comment 4 Tobias Scherbaum (RETIRED) gentoo-dev 2007-07-20 17:41:19 UTC
ppc stable
Comment 5 Raúl Porcel (RETIRED) gentoo-dev 2007-07-21 14:21:07 UTC
x86 stable
Comment 6 Steve Dibb (RETIRED) gentoo-dev 2007-07-28 18:29:53 UTC
amd64 stable
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2007-08-04 04:44:19 UTC
Arches are all done. Get ready for 9.23! :)
Comment 8 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-08-22 22:43:01 UTC
GLSA 200708-17, combined with bug 188987. Thanks everybody!