$ tail /opt/opera/share/opera/ini/pluginpath.ini /usr/lib/netscape/plugins=1 /usr/local/netscape/plugins=1 /usr/local/lib/netscape/plugins=1 $HOME/.kde/.konqueror/nsplugins=1 ; Since Mozilla supports NS plugins, there might ; be some in the Mozilla plugin directory. /usr/lib/mozilla/plugins=1 /usr/X11R6/lib/mozilla/plugins=1 /var/tmp/portage/opera-7.54-r1/image//opt/opera/lib/opera/plugins /var/tmp/portage (or $PORTAGE_TMPDIR) is an untrusted directory writable by users in group portage (or, if PORTAGE_TMPDIR is different than the build host's or has changed since building, all sers may be able to write there). This is exploitable by dropping shared libraries into the directory, which opera will load on stating. example: $ mkdir -p /var/tmp/portage/opera-7.54-r1/image//opt/opera/lib/opera/plugins $ gcc -shared rpath.c -o /var/tmp/portage/opera-7.54-r1/image//opt/opera/lib/opera/plugins/DO-NOT-LOAD-ME\!\!.so $ opera exploit code now in control!
adding this sed to the existing install.sh sed's in src_unpack() fixes it: "s:\(str_localdirplugin=\).*$:\1/opt/opera/lib/opera/plugins:"
now in portage as 7.54-r3, stable on all previous arches, since it's only a config path fix
Should be included in the soon-to-be-released opera GLSA.
GLSA 200502-17
