Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 20 Aug 2008 10:28:32 +0200
From:      "Arjan van Leeuwen" <freebsd-maintainer@opera.com>
To:        "FreeBSD gnats submit" <FreeBSD-gnats-submit@FreeBSD.org>
Subject:   ports/126677: Update www/opera to version 9.52
Message-ID:  <1219220912.98539@arjanl.oslo.osa>
Resent-Message-ID: <200808200850.m7K8o37R009859@freefall.freebsd.org>

next in thread | raw e-mail | index | archive | help

>Number:         126677
>Category:       ports
>Synopsis:       Update www/opera to version 9.52
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          maintainer-update
>Submitter-Id:   current-users
>Arrival-Date:   Wed Aug 20 08:50:03 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator:     Arjan van Leeuwen
>Release:        FreeBSD 7.0-STABLE amd64
>Organization:
Opera Software ASA 
>Environment:


System: FreeBSD 7.0-STABLE #0: Mon Aug  4 14:28:57 CEST 2008
    root@arjanl.oslo.osa:/usr/obj/usr/src/sys/GENERIC



>Description:


This patch updates Opera (www/opera) to version 9.52.

This version fixes several security issues.A diss for vuln.xml is also attached.

Full changelog: http://www.opera.com/docs/changelogs/freebsd/952/


>How-To-Repeat:





>Fix:


--- opera.diff begins here ---
diff -urN /usr/ports/www/opera/Makefile opera/Makefile
--- /usr/ports/www/opera/Makefile	2008-07-04 15:11:09.000000000 +0200
+++ opera/Makefile	2008-08-20 09:44:08.042304827 +0200
@@ -24,16 +24,16 @@
 		${MASTER_SITE_RINGSERVER:S,%SUBDIR%,net/www/opera/unix/freebsd/${OPERA_VER:S/.//}${OPERA_MINVER}/${OPERA_REL}/en/${OPERA_ARCH}/${OPERA_LIB}/&,} \
 		http://T32.TecNik93.com/FreeBSD/others_ports/${PORTNAME}${PKGNAMESUFFIX}/sources/
 #		http://www.opera.mirroarrr.de/unix/freebsd/${OPERA_VER:S/.//}${OPERA_MINVER}/${OPERA_REL}/en/${OPERA_LIB}/ \
-DISTNAME=	${PORTNAME}-${OPERA_VER}${OPERA_MINVER}-freebsd${OPERA_TYPE}-shared-qt3.${ARCH}
+DISTNAME=	${PORTNAME}-${OPERA_VER}${OPERA_MINVER}-${OPERA_BUILD}.freebsd${OPERA_TYPE}-shared-qt3.${ARCH}
 
 MAINTAINER=	freebsd-maintainer@opera.com
 COMMENT=	Blazingly fast, full-featured, standards-compliant browser, devel version
 
-OPERA_VER=	9.51
+OPERA_VER=	9.52
 OPERA_MINVER=
 OPERA_REL=	final
-OPERA_DATE=	20080630
-OPERA_BUILD=	2061
+OPERA_DATE=	20080814
+OPERA_BUILD=	2091
 OPERA_LIB=	shared
 
 DATADIR=	${PREFIX}/share/${PORTNAME}${PKGNAMESUFFIX}
diff -urN /usr/ports/www/opera/distinfo opera/distinfo
--- /usr/ports/www/opera/distinfo	2008-07-04 00:00:48.000000000 +0200
+++ opera/distinfo	2008-08-20 09:43:39.409673306 +0200
@@ -1,15 +1,15 @@
-MD5 (opera-9.51-freebsd5-shared-qt3.i386.tar.bz2) = 14918e18face028c1e4f39ac5b8b64bd
-SHA256 (opera-9.51-freebsd5-shared-qt3.i386.tar.bz2) = 77471011691d077dedd57220d1ff44427378b1f6f4c799027657212fb513e6be
-SIZE (opera-9.51-freebsd5-shared-qt3.i386.tar.bz2) = 7104276
-MD5 (opera-9.51-freebsd6-shared-qt3.amd64.tar.bz2) = 687f3d29df7c02c1cc5e93b923a0347f
-SHA256 (opera-9.51-freebsd6-shared-qt3.amd64.tar.bz2) = 10dfeaa20492c62c88574e8ddcfd1e5570d3759b301fcb8c7aede0af5c0d4f3a
-SIZE (opera-9.51-freebsd6-shared-qt3.amd64.tar.bz2) = 7609790
-MD5 (opera-9.51-freebsd6-shared-qt3.i386.tar.bz2) = 2191de71f568593b10427337e7bb8754
-SHA256 (opera-9.51-freebsd6-shared-qt3.i386.tar.bz2) = e87cdd264c3ca0b1d0957f31373df4080b86b348f2f8c3bd1eb818b178be179b
-SIZE (opera-9.51-freebsd6-shared-qt3.i386.tar.bz2) = 7107407
-MD5 (opera-9.51-freebsd7-shared-qt3.amd64.tar.bz2) = e2f1b7fdbdc16c1f005be08e4fa863ff
-SHA256 (opera-9.51-freebsd7-shared-qt3.amd64.tar.bz2) = c062f0fe7ef1086f0d6cbde5c73257711beb888006a1bc3746c5021c6f7e8d74
-SIZE (opera-9.51-freebsd7-shared-qt3.amd64.tar.bz2) = 7522320
-MD5 (opera-9.51-freebsd7-shared-qt3.i386.tar.bz2) = 97aba5cdb35a1b43607e225556b8e09b
-SHA256 (opera-9.51-freebsd7-shared-qt3.i386.tar.bz2) = ca1d766a00d3ccd363ad6098aaa79879d09849145230c9f98d141989453f37b2
-SIZE (opera-9.51-freebsd7-shared-qt3.i386.tar.bz2) = 6986633
+MD5 (opera-9.52-2091.freebsd5-shared-qt3.i386.tar.bz2) = 3b1988c02e56f6d38bd1818c81c1cfc7
+SHA256 (opera-9.52-2091.freebsd5-shared-qt3.i386.tar.bz2) = 22c3d3692ed8162de45fbd6072378dda729172d32729f77b037bf758974ffb07
+SIZE (opera-9.52-2091.freebsd5-shared-qt3.i386.tar.bz2) = 7113343
+MD5 (opera-9.52-2091.freebsd6-shared-qt3.i386.tar.bz2) = d238cfe02bbe8066fced46ff792fab4e
+SHA256 (opera-9.52-2091.freebsd6-shared-qt3.i386.tar.bz2) = beba06e2f0f9671a86fa382fdfb8655fa0dd779a81e58ff50564e9f81b87b260
+SIZE (opera-9.52-2091.freebsd6-shared-qt3.i386.tar.bz2) = 7115380
+MD5 (opera-9.52-2091.freebsd6-shared-qt3.amd64.tar.bz2) = ff22f6cd6958935119779898f94aef7f
+SHA256 (opera-9.52-2091.freebsd6-shared-qt3.amd64.tar.bz2) = d22bef226ec7b9be5984917ca612bde10963e71f7b2d260d7b8ae31154492f50
+SIZE (opera-9.52-2091.freebsd6-shared-qt3.amd64.tar.bz2) = 7617428
+MD5 (opera-9.52-2091.freebsd7-shared-qt3.i386.tar.bz2) = 1bda34a20680b4aee382ba93366f4cb7
+SHA256 (opera-9.52-2091.freebsd7-shared-qt3.i386.tar.bz2) = 57c0acb1a5a64def126ce3b851198cb0a697cdc322fb65f21c775d4e71c1b7b6
+SIZE (opera-9.52-2091.freebsd7-shared-qt3.i386.tar.bz2) = 6995225
+MD5 (opera-9.52-2091.freebsd7-shared-qt3.amd64.tar.bz2) = 8f0319c43136ff5c4bad92994684cda3
+SHA256 (opera-9.52-2091.freebsd7-shared-qt3.amd64.tar.bz2) = 2c1c549be7e48b5262bd6185ff6aa779fc636167904b5ed4c5d5bc448f818b9c
+SIZE (opera-9.52-2091.freebsd7-shared-qt3.amd64.tar.bz2) = 7531704
--- opera.diff ends here ---
--- vuln.xml.diff begins here ---
--- vuln.xml.orig	2008-08-20 10:26:52.453553533 +0200
+++ vuln.xml	2008-08-20 10:25:14.179612991 +0200
@@ -34,6 +34,157 @@
 
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">;
+  <vuln vid="f457db3b-6e8f-11dd-9c8f-001999392805">
+    <topic>opera -- Sites can change framed content on other sites</topic>
+    <affects>
+      <package>
+	<name>opera</name>
+	<range><lt>9.52.20080814</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">;
+	<blockquote cite="http://www.opera.com/support/search/view/893/">;
+	<p>Scripts are able to change the addresses of framed pages that
+	  come from the same site. Due to a flaw in the way that Opera checks
+	  what frames can be changed, a site can change the address of frames
+	  on other sites inside any window that it has opened. This allows
+	  sites to open pages from other sites, and display misleading
+	  information on them.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <url>http://www.opera.com/support/search/view/893/</url>;
+    </references>
+    <dates>
+      <discovery>2008-08-14</discovery>
+      <entry>2008-08-20</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="6b0cfefa-6e90-11dd-9c8f-001999392805">
+    <topic>opera -- Custom shortcuts can pass the wrong parameters to applications</topic>
+    <affects>
+      <package>
+	<name>opera</name>
+	<range><lt>9.52.20080814</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">;
+	<blockquote cite="http://www.opera.com/support/search/view/894/">;
+	<p>Custom shortcut and menu commands can be used to activate external
+	  applications. In some cases, the parameters passed to these
+	  applications are not prepared correctly, and may be created from
+	  uninitialized memory. These may be misinterpreted as additional
+	  parameters, and depending on the application, this could allow execution
+	  of arbitrary code.</p>
+	<p>Successful exploitation requires convincing the user to modify their
+	  shortcuts or menu files appropriately, pointing to an appropriate target
+	  application, then to activate that shortcut at an appropriate time. To
+	  inject code, additional means will have to be employed.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <url>http://www.opera.com/support/search/view/894/</url>;
+    </references>
+    <dates>
+      <discovery>2008-08-14</discovery>
+      <entry>2008-08-20</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="c519f09f-6e90-11dd-9c8f-001999392805">
+    <topic>opera -- Insecure pages can show incorrect security information</topic>
+    <affects>
+      <package>
+	<name>opera</name>
+	<range><lt>9.52.20080814</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">;
+	<blockquote cite="http://www.opera.com/support/search/view/895/">;
+	<p>When insecure pages load content from secure sites into a frame,
+	  they can cause Opera to incorrectly report the insecure site as
+	  being secure. The padlock icon will incorrectly be shown, and the
+	  security information dialog will state that the connection is secure,
+	  but without any certificate information.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <url>http://www.opera.com/support/search/view/895/</url>;
+    </references>
+    <dates>
+      <discovery>2008-08-14</discovery>
+      <entry>2008-08-20</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="f6d9d94c-6e90-11dd-9c8f-001999392805">
+    <topic>opera -- Feed links can link to local files</topic>
+    <affects>
+      <package>
+	<name>opera</name>
+	<range><lt>9.52.20080814</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">;
+	<blockquote cite="http://www.opera.com/support/search/view/896/">;
+	<p>As a security precaution, Opera does not allow Web pages to
+	  link to files on the user's local disk. However, a flaw exists
+	  that allows Web pages to link to feed source files on the
+	  user's computer. Suitable detection of JavaScript events and
+	  appropriate manipulation can unreliably allow a script to
+	  detect the difference between successful and unsuccessful
+	  subscriptions to these files, to allow it to discover if the
+	  file exists or not. In most cases the attempt will fail.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <url>http://www.opera.com/support/search/view/896/</url>;
+    </references>
+    <dates>
+      <discovery>2008-08-14</discovery>
+      <entry>2008-08-20</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="35b92739-6e91-11dd-9c8f-001999392805">
+    <topic>opera -- Feed subscription can cause the wrong page address to be displayed</topic>
+    <affects>
+      <package>
+	<name>opera</name>
+	<range><lt>9.52.20080814</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">;
+	<blockquote cite="http://www.opera.com/support/search/view/897/">;
+	<p>It has been reported that when a user subscribes to a news
+	  feed using the feed subscription button, the page address
+	  can be changed. This causes the address field not to update
+	  correctly. Although this can mean that that misleading
+	  information can be displayed in the address field, it can
+	  only leave the attacking page's address in the address bar,
+	  not a trusted third party address.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <url>http://www.opera.com/support/search/view/897</url>;
+    </references>
+    <dates>
+      <discovery>2008-08-14</discovery>
+      <entry>2008-08-20</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="c4f31e16-6e33-11dd-8eb7-0011098ad87f">
     <topic>cdf3 -- Buffer overflow vulnerability</topic>
     <affects>
--- vuln.xml.diff ends here ---



>Release-Note:
>Audit-Trail:
>Unformatted:



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1219220912.98539>