FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

opera -- multiple vulnerabilities

Affected packages
linux-opera < 9.10
opera < 9.10
opera-devel < 9.10

Details

VuXML ID 78ad2525-9d0c-11db-a5f6-000c6ec775d9
Discovery 2007-01-05
Entry 2007-01-05
Modified 2010-05-12

iDefense reports:

The vulnerability specifically exists due to Opera improperly processing a JPEG DHT marker. The DHT marker is used to define a Huffman Table which is used for decoding the image data. An invalid number of index bytes in the DHT marker will trigger a heap overflow with partially user controlled data.

Exploitation of this vulnerability would allow an attacker to execute arbitrary code on the affected host. The attacker would first need to construct a website containing the malicious image and trick the vulnerable user into visiting the site. This would trigger the vulnerability and allow the code to execute with the privileges of the local user.

A flaw exists within Opera's Javascript SVG implementation. When processing a createSVGTransformFromMatrix request Opera does not properly validate the type of object passed to the function. Passing an incorrect object to this function can result in it using a pointer that is user controlled when it attempts to make the virtual function call.

Exploitation of this vulnerability would allow an attacker to execute arbitrary code on the affected host. The attacker would first need to construct a website containing the malicious JavaScript and trick the vulnerable user into visiting the site. This would trigger the vulnerability and allow the code to execute with the privileges of the local user.

References

CVE Name CVE-2007-0126
CVE Name CVE-2007-0127
URL http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=457
URL http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=458
URL http://www.opera.com/support/search/supsearch.dml?index=851
URL http://www.opera.com/support/search/supsearch.dml?index=852