Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 81747 - net-www/opera: default plugin search path includes untrusted directory
Summary: net-www/opera: default plugin search path includes untrusted directory
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High major (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A2 [glsa]
Keywords:
Depends on:
Blocks: 81745
  Show dependency tree
 
Reported: 2005-02-12 08:40 UTC by Tavis Ormandy (RETIRED)
Modified: 2005-02-14 11:40 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tavis Ormandy (RETIRED) gentoo-dev 2005-02-12 08:40:23 UTC
$ tail /opt/opera/share/opera/ini/pluginpath.ini
/usr/lib/netscape/plugins=1
/usr/local/netscape/plugins=1
/usr/local/lib/netscape/plugins=1
$HOME/.kde/.konqueror/nsplugins=1

; Since Mozilla supports NS plugins, there might
; be some in the Mozilla plugin directory.
/usr/lib/mozilla/plugins=1
/usr/X11R6/lib/mozilla/plugins=1
/var/tmp/portage/opera-7.54-r1/image//opt/opera/lib/opera/plugins


/var/tmp/portage (or $PORTAGE_TMPDIR) is an untrusted directory writable by users in group portage (or, if PORTAGE_TMPDIR is different than the build host's or has changed since building, all sers may be able to write there).

This is exploitable by dropping shared libraries into the directory, which opera will load on stating.

example:
$ mkdir -p /var/tmp/portage/opera-7.54-r1/image//opt/opera/lib/opera/plugins
$ gcc -shared rpath.c -o /var/tmp/portage/opera-7.54-r1/image//opt/opera/lib/opera/plugins/DO-NOT-LOAD-ME\!\!.so
$ opera
exploit code now in control!
Comment 1 Tavis Ormandy (RETIRED) gentoo-dev 2005-02-13 12:22:55 UTC
adding this sed to the existing install.sh sed's in src_unpack() fixes it:

"s:\(str_localdirplugin=\).*$:\1/opt/opera/lib/opera/plugins:"
Comment 2 Heinrich Wendel (RETIRED) gentoo-dev 2005-02-14 04:30:02 UTC
now in portage as 7.54-r3, stable on all previous arches, since it's only a config path fix
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2005-02-14 04:35:53 UTC
Should be included in the soon-to-be-released opera GLSA.
Comment 4 Sune Kloppenborg Jeppesen gentoo-dev 2005-02-14 11:40:31 UTC
GLSA 200502-17