Subject: pkg/25588: www/opera7 is local-code-execution exploitable
To: None <>
From: Christian Biere <>
List: pkgsrc-bugs
Date: 05/16/2004 04:19:15
>Number:         25588
>Category:       pkg
>Synopsis:       www/opera7 is local-code-execution exploitable
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    pkg-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun May 16 02:20:00 UTC 2004
>Originator:     Christian Biere
>Release:        NetBSD 2.0E
System: NetBSD cyclonus 2.0E NetBSD 2.0E (STARSCREAM) #0: Sat Apr 24 19:43:57 CEST 2004 bin@cyclonus:/usr/obj/sys/arch/i386/compile/STARSCREAM i386

The startup wrapper script for Opera7 - I've checked 7.23 and 7.50 -
contains the shell code as seen below in the packages for FreeBSD and
Solaris (but not Linux). This means if you start opera from a insecure
directory like /tmp which is (usually) world-writeable, anyone could
place appropriate files there and inject arbitrary code. I do not have
the slightest idea what's the legimate purpose behind using $PWD-relative
paths here. The vendor has been informative on Thursday.

Strike 1:
# Opera enviroment
if test "${OPERA_DIR}" = '' ; then
export OPERA_DIR

// Opera package classes get all permissions
grant codebase \"file://${OPERA_DIR}/java//opera.jar\" {

Strike 2:
# Opera Plug-in enviroment, Add more plugin search paths here
# If OPERA_PLUGIN_PATH is set NPX_PLUGIN_PATH will be ignored

for DIR in \
    "${PWD}/plugins" \

    if test -d "${DIR}" ; then OPERA_PLUGIN_PATH="${OPERA_PLUGIN_PATH}":"${DIR}"; fi

Strike 3 (the worst):
# Setting environment relative to current working directory

Three strikes and you're out.


Exploiting this might require luck (people starting opera while having /tmp
as $PWD) or social engineering (e.g., untaring something in $HOME or $PWD
which includes a lib directory) but should be straight-forward besides


Remove all code which adds paths relative to the current working directory
to environment variables from the wrapper script.