Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 74076 - net-www/opera: 7.54u1 fixes multiple vulnerabilities
Summary: net-www/opera: 7.54u1 fixes multiple vulnerabilities
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Gentoo Security
URL: http://www.opera.com/support/search/s...
Whiteboard: B4 [glsa] jaervosz
Keywords:
: 71818 (view as bug list)
Depends on: 73871
Blocks:
  Show dependency tree
 
Reported: 2004-12-11 02:14 UTC by Aarni Honka
Modified: 2005-02-14 11:40 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Aarni Honka 2004-12-11 02:14:26 UTC
TITLE:
Opera Download Dialog Spoofing Vulnerability

SECUNIA ADVISORY ID:
SA12981

VERIFY ADVISORY:
http://secunia.com/advisories/12981/

CRITICAL:
Moderately critical

IMPACT:
Spoofing

WHERE:
>From remote

SOFTWARE:
Opera 7.x
http://secunia.com/product/761/

DESCRIPTION:
Secunia Research has discovered a vulnerability in Opera, which can
be exploited by malicious people to trick users into executing
malicious files.

The vulnerability is caused due to the filename and the
"Content-Type" header not being sufficiently validated before being
displayed in the file download dialog. This can be exploited to spoof
file types in the download dialog by passing specially crafted
"Content-Disposition" and "Content-Type" headers containing dots and
ASCII character code 160.

Successful exploitation may result in users being tricked into
executing a malicious file via the download dialog.

The vulnerability has been confirmed on Opera 7.54 for Windows. Other
versions may also be affected.

SOLUTION:
Update to version 7.54u1.
http://www.opera.com/download/

PROVIDED AND/OR DISCOVERED BY:
Andreas Sandblad, Secunia Research.

ORIGINAL ADVISORY:
http://secunia.com/secunia_research/2004-19/advisory/

OTHER REFERENCES:
Vendor advisory:
http://www.opera.com/support/search/supsearch.dml?index=782
Comment 1 Matthias Geerdsen (RETIRED) gentoo-dev 2004-12-12 12:47:25 UTC
http://www.opera.com/support/search/supsearch.dml?index=782

Advisory: Opera security advisory 2004-12-10

Platform: All platforms

Opera security advisory

    * Named frames or windows can be hi-jacked by malicious frames or windows.
    * Periods in the file name and non-breaking spaces in the Content-Type header can make the save/open dialog misleading. A user may be convinced that an executable file is something else, for example a PDF document.
    * Applets have access to sun.* packages
    * Liveconnect: com.opera.EcmascriptObject constructor is accessible to Java
    * Liveconnect reveals the path to the user's home directory. This can make other vulnerabilities easier to exploit.

Severity: Moderate/high

Vulnerable versions of Opera

    * 7.54 and earlier

Opera's response

Security update 7.54u1. 7.54u1 has several security fixes. (Note: Please use the download link on the right hand side of the page.)

    * Tightened origin check for frames. A side effect of this is that documents not passing the origin check will open in a new page.
    * Fixed issue reported by Marc Sch
Comment 2 Matthias Geerdsen (RETIRED) gentoo-dev 2004-12-12 12:47:25 UTC
http://www.opera.com/support/search/supsearch.dml?index=782

Advisory: Opera security advisory 2004-12-10

Platform: All platforms

Opera security advisory

    * Named frames or windows can be hi-jacked by malicious frames or windows.
    * Periods in the file name and non-breaking spaces in the Content-Type header can make the save/open dialog misleading. A user may be convinced that an executable file is something else, for example a PDF document.
    * Applets have access to sun.* packages
    * Liveconnect: com.opera.EcmascriptObject constructor is accessible to Java
    * Liveconnect reveals the path to the user's home directory. This can make other vulnerabilities easier to exploit.

Severity: Moderate/high

Vulnerable versions of Opera

    * 7.54 and earlier

Opera's response

Security update 7.54u1. 7.54u1 has several security fixes. (Note: Please use the download link on the right hand side of the page.)

    * Tightened origin check for frames. A side effect of this is that documents not passing the origin check will open in a new page.
    * Fixed issue reported by Marc Schönefeld: intrusive JavaScript or Java applet could exploit Sun Java vulnerability to retrieve logged-in user's username and install directory.
    * Fixed LiveConnect class access security issue reported by Jouko Pynnonen.
    * Fixed Secunia issue SA12981, reported by Andreas Sandblad: periods in the file name and non-breaking spaces in content-type header type could obscure the file type.
    * Fixed Secunia issue SA13253: "hi-jacking" a named browser window.
    * Improved support for the "must-revalidate" cache directive.

Credits

    * Secunia Research
    * Andreas Sandblad, Secunia Research
    * Mark Schönefeld
    * Jouko Pynnonen


___

lanius: pls update to the fixed version
Comment 3 Heinrich Wendel (RETIRED) gentoo-dev 2004-12-13 04:49:59 UTC
added opera-7.54-r1
Comment 4 Sune Kloppenborg Jeppesen gentoo-dev 2004-12-13 04:56:16 UTC
Thx Heinrich.

Arches please mark stable.

This also fixes bug #71818 (Java issues).
Comment 5 Jason Wever (RETIRED) gentoo-dev 2004-12-14 17:51:09 UTC
     _        _     _                                               
 ___| |_ __ _| |__ | | ___    ___  _ __    ___ _ __   __ _ _ __ ___ 
/ __| __/ _` | '_ \| |/ _ \  / _ \| '_ \  / __| '_ \ / _` | '__/ __|
\__ \ || (_| | |_) | |  __/ | (_) | | | | \__ \ |_) | (_| | | | (__ 
|___/\__\__,_|_.__/|_|\___|  \___/|_| |_| |___/ .__/ \__,_|_|  \___|
                                              |_|                   
Comment 6 Simon Stelling (RETIRED) gentoo-dev 2004-12-18 08:37:10 UTC
amd64 done
Comment 7 Sune Kloppenborg Jeppesen gentoo-dev 2004-12-19 03:38:06 UTC
Thx Simon.

This one is ready for GLSA, Security please vote.
Comment 8 Thierry Carrez (RETIRED) gentoo-dev 2004-12-19 05:35:52 UTC
I vote yes. Also this seems to fix the Java sandbox problems which are quite critical (bug 71818).
Comment 9 Sune Kloppenborg Jeppesen gentoo-dev 2004-12-19 06:48:41 UTC
Correct. We'll have a GLSA on this one.
Comment 10 Thierry Carrez (RETIRED) gentoo-dev 2004-12-20 03:04:03 UTC
Note that according to http://secunia.com/advisories/13253/ Opera just partly fixed the windows injection vulnerability.
Comment 11 Thierry Carrez (RETIRED) gentoo-dev 2004-12-21 06:28:51 UTC
*** Bug 71818 has been marked as a duplicate of this bug. ***
Comment 12 Thierry Carrez (RETIRED) gentoo-dev 2004-12-21 06:45:04 UTC
Hmmkay...

I'm no longer sure this is worth a GLSA (for the moment). What we have fixed here is mostly download scams and info leaks:

* Named frames or windows can be hi-jacked by malicious frames or windows. Opera now tightens origin check for frames. [This is http://secunia.com/advisories/13253/ which Secunia says is just partly fixed. This one could be worth a GLSA, but it's not really fixed, so...]

* Periods in the file name and non-breaking spaces in the Content-Type header can make the save/open dialog misleading. A user may be convinced that an executable file is something else, for example a PDF document. [This is http://secunia.com/advisories/12981/ . Not sure it's worth a GLSA]

* Applets have access to sun.* packages : intrusive JavaScript or Java applet could exploit Sun Java vulnerability to retrieve logged-in user's username and install directory [This is the one that convinced me to issue a GLSA. In fact it's just a small infoleak, not a sandbox bypass, so it's probably not worth a GLSA]

* Liveconnect: com.opera.EcmascriptObject constructor is accessible to Java and LiveConnect reveals the path to the user's home directory. [small infoleak]

* Improved support for the "must-revalidate" cache directive. [yeah right]

We still have two vulnerabilities current, the kfmclient exec Opera/KDE thing (which is rather grave for KDE users) and a complete fix to Secunia's window injection thing. So we have two choices, issuing a "Low" GLSA with what is fixed in 7.54u1 or wait for other fixes to come in.
Comment 13 Sune Kloppenborg Jeppesen gentoo-dev 2004-12-21 07:11:28 UTC
Sie sind verwundbar: class sun.text.Utility

Version 7.54 u1

I vote for hold on this one.
Comment 14 Matthias Geerdsen (RETIRED) gentoo-dev 2004-12-21 08:07:13 UTC
We should hold this one and wait for new fixes I guess.
Comment 15 Thierry Carrez (RETIRED) gentoo-dev 2004-12-21 08:33:31 UTC
On hold waiting for more fixes
Comment 16 Heinrich Wendel (RETIRED) gentoo-dev 2005-02-12 03:32:27 UTC
754u2 is released and in portage
Comment 17 Sune Kloppenborg Jeppesen gentoo-dev 2005-02-14 11:40:15 UTC
GLSA 200502-17