aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authornectar <nectar@FreeBSD.org>2005-01-22 00:50:40 +0800
committernectar <nectar@FreeBSD.org>2005-01-22 00:50:40 +0800
commit88a254f89ac6bd43a0d77d13c83e0c6560c886b8 (patch)
tree5321beb9867489b9374d6f7b83af82ee395aae4f
parent672780b0ea511bc34c73492a58879d974ddd44ce (diff)
downloadfreebsd-ports-gnome-88a254f89ac6bd43a0d77d13c83e0c6560c886b8.tar.gz
freebsd-ports-gnome-88a254f89ac6bd43a0d77d13c83e0c6560c886b8.tar.zst
freebsd-ports-gnome-88a254f89ac6bd43a0d77d13c83e0c6560c886b8.zip
Document vulnerabilities in the Opera web browser's Java implementation.
-rw-r--r--security/vuxml/vuln.xml56
1 files changed, 56 insertions, 0 deletions
diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml
index b89fd1083008..31557fcb68c7 100644
--- a/security/vuxml/vuln.xml
+++ b/security/vuxml/vuln.xml
@@ -32,6 +32,62 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+ <vuln vid="1489df94-6bcb-11d9-a21e-000a95bc6fae">
+ <topic>opera -- multiple vulnerabilities in Java implementation</topic>
+ <affects>
+ <package>
+ <name>opera</name>
+ <name>opera-devel</name>
+ <name>linux-opera</name>
+ <range><lt>7.60.20041203</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Marc Schoenefeld reports:</p>
+ <blockquote cite="http://marc.theaimsgroup.com/?l=bugtraq&amp;m=110088923127820">
+ <p>Opera 7.54 is vulnerable to leakage of the java sandbox,
+ allowing malicious applets to gain unacceptable
+ privileges. This allows them to be used for information
+ gathering (spying) of local identity information and
+ system configurations as well as causing annoying crash
+ effects.</p>
+ <p>Opera 754 <em>[sic]</em> which was released Aug 5,2004 is
+ vulnerable to the XSLT processor covert channel attack,
+ which was corrected with JRE 1.4.2_05 [released in July
+ 04], but in disadvantage to the users the opera packaging
+ guys chose to bundle the JRE 1.4.2_04 <em>[...]</em></p>
+ <p>Internal pointer DoS exploitation: Opera.jar contains the
+ opera replacement of the java plugin. It therefore handles
+ communication between javascript and the Java VM via the
+ liveconnect protocol. The public class EcmaScriptObject
+ exposes a system memory pointer to the java address space,
+ by constructing a special variant of this type an internal
+ cache table can be polluted by false entries that infer
+ proper function of the JSObject class and in the following
+ proof-of-concept crash the browser.</p>
+ <p>Exposure of location of local java installation Sniffing
+ the URL classpath allows to retrieve the URLs of the
+ bootstrap class path and therefore the JDK installation
+ directory.</p>
+ <p>Exposure of local user name to an untrusted applet An
+ attacker could use the sun.security.krb5.Credentials class
+ to retrieve the name of the currently logged in user and
+ parse his home directory from the information which is
+ provided by the thrown
+ java.security.AccessControlException.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <mlist msgid="Pine.A41.4.58.0411191800510.57436@zivunix.uni-muenster.de">http://marc.theaimsgroup.com/?l=bugtraq&amp;m=110088923127820</mlist>
+ </references>
+ <dates>
+ <discovery>2004-11-19</discovery>
+ <entry>2005-01-21</entry>
+ </dates>
+ </vuln>
+
<vuln vid="045944a0-6bca-11d9-aaa6-000a95bc6fae">
<topic>sudo -- environmental variable CDPATH is not cleared</topic>
<affects>