$URL has an exploit for Opera 9.62 which allows for remote code execution by enticing a user to visit a malicious page.
Might be Windows-only, I'm unable to even make opera crash (the page just sits there loading forever, Opera keeps responsive).
So.. waiting for new information / upstream reactions. No idea whether they've been contacted yet...
(In reply to comment #1)
> So.. waiting for new information / upstream reactions. No idea whether they've
> been contacted yet...
Opera has been informed in early october
Steps to reproduce:
$ lynx -dont_wrap_pre -dump 'http://www.milw0rm.com/exploits/7135' > /keeps/gentoo/bugs/247229/7135.html
$ opera /keeps/gentoo/bugs/247229/7135.html
ERROR: ld.so: object 'libjvm.so' from LD_PRELOAD cannot be preloaded: ignored.
ERROR: ld.so: object 'libawt.so' from LD_PRELOAD cannot be preloaded: ignored.
Tue Nov 18 18:37:08 CET 2008
Portage 2.2_rc14 (default/linux/x86/2008.0/desktop, gcc-4.1.2, glibc-2.6.1-r0, 2.6.25-gentoo-r7-JeR i686)
System uname: Linux-2.6.25-gentoo-r7-JeR-i686-AMD_Athlon-tm-_XP_2500+-with-glibc2.0
Timestamp of tree: Tue, 18 Nov 2008 05:15:01 +0000
distcc 2.18.3 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled]
ccache version 2.4 [disabled]
dev-java/java-config: 1.3.7, 2.1.6
sys-devel/autoconf: 2.13, 2.61-r2
sys-devel/automake: 1.5, 1.7.9-r1, 1.9.6-r2, 1.10.1-r1
CFLAGS="-O2 -pipe -march=athlon-xp"
CONFIG_PROTECT="/etc /usr/share/X11/app-defaults/XTerm /usr/share/X11/app-defaults/XTerm-color"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/revdep-rebuild /etc/terminfo /etc/udev/rules.d"
CXXFLAGS="-O2 -pipe -march=athlon-xp"
FEATURES="autoaddcvs buildpkg cvs distlocks fixpackages notitles parallel-fetch preserve-libs protect-owned sandbox sfperms splitdebug strict unmerge-orphans userfetch"
GENTOO_MIRRORS="http://ftp.snt.utwente.nl/pub/os/linux/gentoo http://gentoo.tiscali.nl/ http://mirror.muntinternet.net/pub/gentoo/ "
LINGUAS="en en_GB nl"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
USE="3dnow 3dnowext X a52 aac aalib acpi alsa asf audiofile bash-completion berkdb bl bluetooth boost branding bzip2 cairo cdda cddb cdio cdparanoia cdr chroot cli cpudetection cracklib crypt cscope css cups curl custom-cflags dga dillo divx dri dv dvd dvdr dvdread edl eds elf emboss encode evo fame fbcon ffmpeg flac flash fontforge foomaticdb fortran freetype gdbm ggi gif gimpprint glib glitz glut gmedia gnokii gnutls gpm gs gstreamer gtk gtk2 iconv idn imagemagick imlib inkjar ipv6 isdnlog jingle jpeg kde lcms libcaca libnotify libsamplerate live lm_sensors logrotate lzo mad matroska midi mikmod mjpeg mmx mng modplug mozilla mozsvg mozxmlterm mp3 mpeg mplayer mudflap musepack ncurses nethack network nls nptl nptlonly nsplugin offensive ogg opengl openmp optimisememory pam pcre pda pdf perl physfs plotutils png ppds pppd pulseaudio python quicktime readline realmedia reflection rtc rtsp ruby samba screenshot sdl server session sftplogging shout skins smux snmp speex spell spl sse sse2 sse3 ssl startup-notification stream svg sysfs syslog tcpd test tetex tga theora threads tiff truetype unicode upnp usb userlocales utils v4l v4l2 vcd vidix vlm vorbis win32codecs winbind wmp x86 xanim xml xml2 xorg xosd xulrunner xv xvid xvmc zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev wacom" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en en_GB nl" USERLAND="GNU" VIDEO_CARDS="nvidia"
Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LANG, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Btw, the segfault seems to suggest that an entirely unhardened Linux is coping quite well here - I see opera sucking up an enormous amount of memory and then segfaulting (probably some missing malloc check).
jer, could you also try remotely please? Maybe the "local" in milw0rm's title really means that the exploit code needs to be on the local machine already, which would make this issue much less important, imo.
(In reply to comment #6)
> jer, could you also try remotely please? Maybe the "local" in milw0rm's title
> really means that the exploit code needs to be on the local machine already,
> which would make this issue much less important, imo.
Secunia confirms that this can only be exploited locally.
Re-rating as B3.
(In reply to comment #7)
> (In reply to comment #6)
> > jer, could you also try remotely please? Maybe the "local" in milw0rm's title
> > really means that the exploit code needs to be on the local machine already,
> > which would make this issue much less important, imo.
> Secunia confirms that this can only be exploited locally.
The advisory header actually says "Where: From remote" but I guess that's some kind of oversight. I uploaded the code to dev.g.o/~jer/* and loaded that in Opera, but instead of the reproduceable segfault all I got was an idling page...
Heap-based buffer overflow in Opera 9.62 on Windows allows remote
attackers to execute arbitrary code via a long file:// URI.
opera-9.63 released, which fixes this issue along with others.
Jeroen, please bump.
No idea about CVEs except for the initial issue.
Quoting the ChangeLog 
* Manipulating text input contents can allow execution of arbitrary code, as
reported by Red XIII 
* HTML parsing flaw can cause Opera to execute arbitrary code, as reported by
Alexios Fakos 
* Long hostnames in file: URLs can cause execution of arbitrary code, as
reported by Vitaly McLain. 
* Script injection in feed preview can reveal contents of unrelated news feeds,
as reported by David Bloom. 
* Built-in XSLT templates can allow cross-site scripting, as reported by Robert
Swiecki of the Google Security Team. 
* Fixed an issue that could reveal random data, as reported by Matthew of
Hispasec Sistemas. Details will be disclosed at a later date.
* SVG images embedded using <img> tags can no longer execute Java or plugin
content, suggested by Chris Evans.
*** Bug 251155 has been marked as a duplicate of this bug. ***
It's in the tree alright.
Arches, please test and mark stable:
Target keywords : "amd64 ppc x86"
x86 stable, all arches done.
I've just discovered Opera 9.63 is now available for SPARC platforms. Could it be unmasked and tested as unstable?
GLSA request filed.
(In reply to comment #18)
> I've just discovered Opera 9.63 is now available for SPARC platforms. Could it
> be unmasked and tested as unstable?
1) That's not related to this bug and you ought to have filed a new bug report.
2) It's only available for solaris, which isn't supported in the Portage tree.
(In reply to comment #10)
> CVE-2008-5178 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5178):
> Heap-based buffer overflow in Opera 9.62 on Windows allows remote
> attackers to execute arbitrary code via a long file:// URI.
"on Windows": Only the CVE says windows-only. Neither the upstream advisory nor secunia say it's windows-only. Jer, could you please check whether we are affected by this one or not?
(In reply to comment #21)
> Jer, could you please check whether we are
> affected by this one or not?
GLSA 200903-30, thanks everyone.