Date: Wed, 20 Aug 2008 10:28:32 +0200 From: "Arjan van Leeuwen" <freebsd-maintainer@opera.com> To: "FreeBSD gnats submit" <FreeBSD-gnats-submit@FreeBSD.org> Subject: ports/126677: Update www/opera to version 9.52 Message-ID: <1219220912.98539@arjanl.oslo.osa> Resent-Message-ID: <200808200850.m7K8o37R009859@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 126677
>Category: ports
>Synopsis: Update www/opera to version 9.52
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: maintainer-update
>Submitter-Id: current-users
>Arrival-Date: Wed Aug 20 08:50:03 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator: Arjan van Leeuwen
>Release: FreeBSD 7.0-STABLE amd64
>Organization:
Opera Software ASA
>Environment:
System: FreeBSD 7.0-STABLE #0: Mon Aug 4 14:28:57 CEST 2008
root@arjanl.oslo.osa:/usr/obj/usr/src/sys/GENERIC
>Description:
This patch updates Opera (www/opera) to version 9.52.
This version fixes several security issues.A diss for vuln.xml is also attached.
Full changelog: http://www.opera.com/docs/changelogs/freebsd/952/
>How-To-Repeat:
>Fix:
--- opera.diff begins here ---
diff -urN /usr/ports/www/opera/Makefile opera/Makefile
--- /usr/ports/www/opera/Makefile 2008-07-04 15:11:09.000000000 +0200
+++ opera/Makefile 2008-08-20 09:44:08.042304827 +0200
@@ -24,16 +24,16 @@
${MASTER_SITE_RINGSERVER:S,%SUBDIR%,net/www/opera/unix/freebsd/${OPERA_VER:S/.//}${OPERA_MINVER}/${OPERA_REL}/en/${OPERA_ARCH}/${OPERA_LIB}/&,} \
http://T32.TecNik93.com/FreeBSD/others_ports/${PORTNAME}${PKGNAMESUFFIX}/sources/
# http://www.opera.mirroarrr.de/unix/freebsd/${OPERA_VER:S/.//}${OPERA_MINVER}/${OPERA_REL}/en/${OPERA_LIB}/ \
-DISTNAME= ${PORTNAME}-${OPERA_VER}${OPERA_MINVER}-freebsd${OPERA_TYPE}-shared-qt3.${ARCH}
+DISTNAME= ${PORTNAME}-${OPERA_VER}${OPERA_MINVER}-${OPERA_BUILD}.freebsd${OPERA_TYPE}-shared-qt3.${ARCH}
MAINTAINER= freebsd-maintainer@opera.com
COMMENT= Blazingly fast, full-featured, standards-compliant browser, devel version
-OPERA_VER= 9.51
+OPERA_VER= 9.52
OPERA_MINVER=
OPERA_REL= final
-OPERA_DATE= 20080630
-OPERA_BUILD= 2061
+OPERA_DATE= 20080814
+OPERA_BUILD= 2091
OPERA_LIB= shared
DATADIR= ${PREFIX}/share/${PORTNAME}${PKGNAMESUFFIX}
diff -urN /usr/ports/www/opera/distinfo opera/distinfo
--- /usr/ports/www/opera/distinfo 2008-07-04 00:00:48.000000000 +0200
+++ opera/distinfo 2008-08-20 09:43:39.409673306 +0200
@@ -1,15 +1,15 @@
-MD5 (opera-9.51-freebsd5-shared-qt3.i386.tar.bz2) = 14918e18face028c1e4f39ac5b8b64bd
-SHA256 (opera-9.51-freebsd5-shared-qt3.i386.tar.bz2) = 77471011691d077dedd57220d1ff44427378b1f6f4c799027657212fb513e6be
-SIZE (opera-9.51-freebsd5-shared-qt3.i386.tar.bz2) = 7104276
-MD5 (opera-9.51-freebsd6-shared-qt3.amd64.tar.bz2) = 687f3d29df7c02c1cc5e93b923a0347f
-SHA256 (opera-9.51-freebsd6-shared-qt3.amd64.tar.bz2) = 10dfeaa20492c62c88574e8ddcfd1e5570d3759b301fcb8c7aede0af5c0d4f3a
-SIZE (opera-9.51-freebsd6-shared-qt3.amd64.tar.bz2) = 7609790
-MD5 (opera-9.51-freebsd6-shared-qt3.i386.tar.bz2) = 2191de71f568593b10427337e7bb8754
-SHA256 (opera-9.51-freebsd6-shared-qt3.i386.tar.bz2) = e87cdd264c3ca0b1d0957f31373df4080b86b348f2f8c3bd1eb818b178be179b
-SIZE (opera-9.51-freebsd6-shared-qt3.i386.tar.bz2) = 7107407
-MD5 (opera-9.51-freebsd7-shared-qt3.amd64.tar.bz2) = e2f1b7fdbdc16c1f005be08e4fa863ff
-SHA256 (opera-9.51-freebsd7-shared-qt3.amd64.tar.bz2) = c062f0fe7ef1086f0d6cbde5c73257711beb888006a1bc3746c5021c6f7e8d74
-SIZE (opera-9.51-freebsd7-shared-qt3.amd64.tar.bz2) = 7522320
-MD5 (opera-9.51-freebsd7-shared-qt3.i386.tar.bz2) = 97aba5cdb35a1b43607e225556b8e09b
-SHA256 (opera-9.51-freebsd7-shared-qt3.i386.tar.bz2) = ca1d766a00d3ccd363ad6098aaa79879d09849145230c9f98d141989453f37b2
-SIZE (opera-9.51-freebsd7-shared-qt3.i386.tar.bz2) = 6986633
+MD5 (opera-9.52-2091.freebsd5-shared-qt3.i386.tar.bz2) = 3b1988c02e56f6d38bd1818c81c1cfc7
+SHA256 (opera-9.52-2091.freebsd5-shared-qt3.i386.tar.bz2) = 22c3d3692ed8162de45fbd6072378dda729172d32729f77b037bf758974ffb07
+SIZE (opera-9.52-2091.freebsd5-shared-qt3.i386.tar.bz2) = 7113343
+MD5 (opera-9.52-2091.freebsd6-shared-qt3.i386.tar.bz2) = d238cfe02bbe8066fced46ff792fab4e
+SHA256 (opera-9.52-2091.freebsd6-shared-qt3.i386.tar.bz2) = beba06e2f0f9671a86fa382fdfb8655fa0dd779a81e58ff50564e9f81b87b260
+SIZE (opera-9.52-2091.freebsd6-shared-qt3.i386.tar.bz2) = 7115380
+MD5 (opera-9.52-2091.freebsd6-shared-qt3.amd64.tar.bz2) = ff22f6cd6958935119779898f94aef7f
+SHA256 (opera-9.52-2091.freebsd6-shared-qt3.amd64.tar.bz2) = d22bef226ec7b9be5984917ca612bde10963e71f7b2d260d7b8ae31154492f50
+SIZE (opera-9.52-2091.freebsd6-shared-qt3.amd64.tar.bz2) = 7617428
+MD5 (opera-9.52-2091.freebsd7-shared-qt3.i386.tar.bz2) = 1bda34a20680b4aee382ba93366f4cb7
+SHA256 (opera-9.52-2091.freebsd7-shared-qt3.i386.tar.bz2) = 57c0acb1a5a64def126ce3b851198cb0a697cdc322fb65f21c775d4e71c1b7b6
+SIZE (opera-9.52-2091.freebsd7-shared-qt3.i386.tar.bz2) = 6995225
+MD5 (opera-9.52-2091.freebsd7-shared-qt3.amd64.tar.bz2) = 8f0319c43136ff5c4bad92994684cda3
+SHA256 (opera-9.52-2091.freebsd7-shared-qt3.amd64.tar.bz2) = 2c1c549be7e48b5262bd6185ff6aa779fc636167904b5ed4c5d5bc448f818b9c
+SIZE (opera-9.52-2091.freebsd7-shared-qt3.amd64.tar.bz2) = 7531704
--- opera.diff ends here ---
--- vuln.xml.diff begins here ---
--- vuln.xml.orig 2008-08-20 10:26:52.453553533 +0200
+++ vuln.xml 2008-08-20 10:25:14.179612991 +0200
@@ -34,6 +34,157 @@
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">;
+ <vuln vid="f457db3b-6e8f-11dd-9c8f-001999392805">
+ <topic>opera -- Sites can change framed content on other sites</topic>
+ <affects>
+ <package>
+ <name>opera</name>
+ <range><lt>9.52.20080814</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">;
+ <blockquote cite="http://www.opera.com/support/search/view/893/">;
+ <p>Scripts are able to change the addresses of framed pages that
+ come from the same site. Due to a flaw in the way that Opera checks
+ what frames can be changed, a site can change the address of frames
+ on other sites inside any window that it has opened. This allows
+ sites to open pages from other sites, and display misleading
+ information on them.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>http://www.opera.com/support/search/view/893/</url>;
+ </references>
+ <dates>
+ <discovery>2008-08-14</discovery>
+ <entry>2008-08-20</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="6b0cfefa-6e90-11dd-9c8f-001999392805">
+ <topic>opera -- Custom shortcuts can pass the wrong parameters to applications</topic>
+ <affects>
+ <package>
+ <name>opera</name>
+ <range><lt>9.52.20080814</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">;
+ <blockquote cite="http://www.opera.com/support/search/view/894/">;
+ <p>Custom shortcut and menu commands can be used to activate external
+ applications. In some cases, the parameters passed to these
+ applications are not prepared correctly, and may be created from
+ uninitialized memory. These may be misinterpreted as additional
+ parameters, and depending on the application, this could allow execution
+ of arbitrary code.</p>
+ <p>Successful exploitation requires convincing the user to modify their
+ shortcuts or menu files appropriately, pointing to an appropriate target
+ application, then to activate that shortcut at an appropriate time. To
+ inject code, additional means will have to be employed.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>http://www.opera.com/support/search/view/894/</url>;
+ </references>
+ <dates>
+ <discovery>2008-08-14</discovery>
+ <entry>2008-08-20</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="c519f09f-6e90-11dd-9c8f-001999392805">
+ <topic>opera -- Insecure pages can show incorrect security information</topic>
+ <affects>
+ <package>
+ <name>opera</name>
+ <range><lt>9.52.20080814</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">;
+ <blockquote cite="http://www.opera.com/support/search/view/895/">;
+ <p>When insecure pages load content from secure sites into a frame,
+ they can cause Opera to incorrectly report the insecure site as
+ being secure. The padlock icon will incorrectly be shown, and the
+ security information dialog will state that the connection is secure,
+ but without any certificate information.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>http://www.opera.com/support/search/view/895/</url>;
+ </references>
+ <dates>
+ <discovery>2008-08-14</discovery>
+ <entry>2008-08-20</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="f6d9d94c-6e90-11dd-9c8f-001999392805">
+ <topic>opera -- Feed links can link to local files</topic>
+ <affects>
+ <package>
+ <name>opera</name>
+ <range><lt>9.52.20080814</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">;
+ <blockquote cite="http://www.opera.com/support/search/view/896/">;
+ <p>As a security precaution, Opera does not allow Web pages to
+ link to files on the user's local disk. However, a flaw exists
+ that allows Web pages to link to feed source files on the
+ user's computer. Suitable detection of JavaScript events and
+ appropriate manipulation can unreliably allow a script to
+ detect the difference between successful and unsuccessful
+ subscriptions to these files, to allow it to discover if the
+ file exists or not. In most cases the attempt will fail.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>http://www.opera.com/support/search/view/896/</url>;
+ </references>
+ <dates>
+ <discovery>2008-08-14</discovery>
+ <entry>2008-08-20</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="35b92739-6e91-11dd-9c8f-001999392805">
+ <topic>opera -- Feed subscription can cause the wrong page address to be displayed</topic>
+ <affects>
+ <package>
+ <name>opera</name>
+ <range><lt>9.52.20080814</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">;
+ <blockquote cite="http://www.opera.com/support/search/view/897/">;
+ <p>It has been reported that when a user subscribes to a news
+ feed using the feed subscription button, the page address
+ can be changed. This causes the address field not to update
+ correctly. Although this can mean that that misleading
+ information can be displayed in the address field, it can
+ only leave the attacking page's address in the address bar,
+ not a trusted third party address.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>http://www.opera.com/support/search/view/897</url>;
+ </references>
+ <dates>
+ <discovery>2008-08-14</discovery>
+ <entry>2008-08-20</entry>
+ </dates>
+ </vuln>
+
<vuln vid="c4f31e16-6e33-11dd-8eb7-0011098ad87f">
<topic>cdf3 -- Buffer overflow vulnerability</topic>
<affects>
--- vuln.xml.diff ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1219220912.98539>