[Bug 232210] New: VUL-0: opera < 9.10 problems
https://bugzilla.novell.com/show_bug.cgi?id=232210 Summary: VUL-0: opera < 9.10 problems Product: openSUSE 10.2 Version: Final Platform: Other OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: Commercial AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: meissner@novell.com QAContact: qa@suse.de The latest Opera update apparently also had security fixes. Opera Software Opera Web Browser createSVGTransformFromMatrix Object Typecasting Vulnerability iDefense Security Advisory 01.05.07 http://labs.idefense.com/intelligence/vulnerabilities/ Jan 05, 2007 I. BACKGROUND Opera is a cross-platform web browser. More information is available at http://www.opera.com/ II. DESCRIPTION Remote exploitation of a typecasting bug in Opera Software ASA's Opera Web browser could allow an attacker to execute arbitrary code on the affected host. A flaw exists within Opera's Javascript SVG implementation. When processing a createSVGTransformFromMatrix request Opera does not properly validate the type of object passed to the function. Passing an incorrect object to this function can result in it using a pointer that is user controlled when it attempts to make the virtual function call. III. ANALYSIS Exploitation of this vulnerability would allow an attacker to execute arbitrary code on the affected host. The attacker would first need to construct a website containing the malicious JavaScript and trick the vulnerable user into visiting the site. This would trigger the vulnerability and allow the code to execute with the privileges of the local user. IV. DETECTION iDefense has confirmed the existence of this vulnerability in Opera version 9.02 on both Windows and Linux. Previous versions may also be affected. V. WORKAROUND Disabling JavaScript will prevent the vulnerability from being triggered. VI. VENDOR RESPONSE Opera Software has addressed this vulnerability in version 9.10. More information is available at the following link. http://www.opera.com/support/search/supsearch.dml?index=852 VII. CVE INFORMATION A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not been assigned yet. VIII. DISCLOSURE TIMELINE 11/16/2006 Initial vendor notification 11/17/2006 Initial vendor response 01/05/2007 Coordinated public disclosure IX. CREDIT The discoverer of this vulnerability wishes to remain anonymous. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=232210 meissner@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|bnc-team- |ltinkl@novell.com |screening@forge.provo.novell| |.com | ------- Comment #1 from meissner@novell.com 2007-01-05 11:01 MST ------- Opera Software Opera Web Browser JPG Image DHT Marker Heap Corruption Vulnerability iDefense Security Advisory 01.05.07 http://labs.idefense.com/intelligence/vulnerabilities/ Jan 05, 2007 I. BACKGROUND Opera is a cross-platform web browser. More information is available at http://www.opera.com/ II. DESCRIPTION Remote exploitation of a heap overflow in Opera Software ASA's Opera Web browser could allow an attacker to execute arbitrary code in the security context of the current user. The vulnerability specifically exists due to Opera improperly processing a JPEG DHT marker. The DHT marker is used to define a Huffman Table which is used for decoding the image data. An invalid number of index bytes in the DHT marker will trigger a heap overflow with partially user controlled data. III. ANALYSIS Exploitation of this vulnerability would allow an attacker to execute arbitrary code on the affected host. The attacker would first need to construct a website containing the malicious image and trick the vulnerable user into visiting the site. This would trigger the vulnerability and allow the code to execute with the privileges of the local user. IV. DETECTION iDefense has confirmed the existence of this vulnerability in Opera version 9.02 on both Windows and Linux. Previous versions may also be affected. V. WORKAROUND iDefense is currently unaware of any effective workarounds for this issue. VI. VENDOR RESPONSE Opera Software has addressed this vulnerability in version 9.10. More information is available at the following link. http://www.opera.com/support/search/supsearch.dml?index=852 VII. CVE INFORMATION A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not been assigned yet. VIII. DISCLOSURE TIMELINE 11/16/2006 Initial vendor notification 11/17/2006 Initial vendor response 01/05/2007 Coordinated public disclosure IX. CREDIT This vulnerability was reported to iDefense by Christoph Diehl. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=232210 meissner@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |security-team@suse.de Severity|Normal |Critical ------- Comment #2 from meissner@novell.com 2007-01-08 02:53 MST ------- remotely exploitable -> critical please try to submit fixed packages today. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=232210 ------- Comment #3 from meissner@novell.com 2007-01-09 13:23 MST ------- CVE-2007-0127 The Javascript SVG support in Opera before 9.10 does not properly validate object types in a createSVGTransformFromMatrix request, which allows remote attackers to execute arbitrary code via JavaScript code that uses an invalid object in this request that causes a controlled pointer to be referenced during the virtual function call. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=232210 ------- Comment #4 from meissner@novell.com 2007-01-09 13:24 MST ------- CVE-2007-0126 Heap-based buffer overflow in Opera 9.02 allows remote attackers to execute arbitrary code via a JPEG file with an invalid number of index bytes in the Define Huffman Table (DHT) marker. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=232210 ltinkl@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=232210 ------- Comment #5 from ltinkl@novell.com 2007-01-09 17:56 MST ------- Fixed packages down to 9.3 submitted -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=232210 thomas@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard| |patchinfos submitted ------- Comment #6 from thomas@novell.com 2007-01-10 03:46 MST ------- SWAMPID: 7820 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=232210 ------- Comment #7 from thomas@novell.com 2007-01-10 03:47 MST ------- (In reply to comment #6)
SWAMPID: 7820
forget this ID it is a duplicate -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=232210 ------- Comment #8 from thomas@novell.com 2007-01-10 03:47 MST ------- swampid 7754 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=232210 meissner@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |FIXED ------- Comment #9 from meissner@novell.com 2007-01-15 05:48 MST ------- updates released, thanks! -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
participants (1)
-
bugzilla_noreply@novell.com