Bug 6465

Summary: Security update request for opera, to 12.00
Product: Mageia Reporter: Anssi Hannula <anssi.hannula>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: davidwhodgins, derekjenn, pham182b, qa-bugs, sysadmin-bugs, tmb
Version: 2Keywords: Security, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: mga2-32-OK mga2-64-OK mga1-64-OK, mga1-32-OK
Source RPM: opera CVE:
Status comment:

Description Anssi Hannula 2012-06-14 18:01:06 CEST 
Opera 12.00 has been pushed to mga1+mga2 nonfree/updates_testing.

Suggested advisory
===================
Opera 12.00 fixes several security and stability issues found in previous versions and contains new and improved features.

Fixed an issue where hidden keyboard navigation could allow cross site scripting or code execution, as reported by Jordi Chancel.
http://www.opera.com/support/kb/view/1021/

Fixed an issue where a combination of clicks and key presses could lead to cross site scripting or code execution, as reported by Jordi Chancel.
http://www.opera.com/support/kb/view/1020/

Fixed an issue where cross-domain JSON resources may be exposed as JavaScript variable data.
http://www.opera.com/support/kb/view/1019/

Fixed an issue where carefully timed reloads, redirects, and navigation could spoof the address field, as reported by Jordi Chancel.
http://www.opera.com/support/kb/view/1018/

Fixed an issue where pages could prevent navigation to a target page, spoofing the address field, as reported by Code Audit Labs of vulnhunt.com.
http://www.opera.com/support/kb/view/1022/

For a complete list of changes including the non-security fixes, see
http://www.opera.com/docs/changelogs/unix/1200/
====================

Packages:
opera-12.00-1.mga1.nonfree
opera-12.00-1.mga2.nonfree
Comment 1 Dave Hodgins 2012-06-15 21:15:47 CEST 
Currently testing Mageia 1 i586, using pop3, imap, nntp, rss, irc,
and web browsing.

CC: (none) => davidwhodgins

Comment 2 Dave Hodgins 2012-06-15 21:46:03 CEST 
Testing complete on Mageia 1.

There's a problem with Mageia 2 i586.  The rpm package
is not showing up on the mirrors, such as
http://twiska.zarb.org/mageia/distrib/2/i586/media/core/updates_testing
Comment 3 Anssi Hannula 2012-06-15 21:48:11 CEST 
It is in nonfree/updates_testing, not core.
Dave Hodgins 2012-06-15 22:55:13 CEST

Whiteboard: (none) => mga1-32-OK

Comment 4 Derek Jennings 2012-06-16 00:11:05 CEST 
All OK on Mga2 x86_64
Installing Opera pulled in new dependencies 
libx11_6
libxau6
libxcb1
libxdmcp6
libxext6
libxt6

Does that mean all these will have to go into NonFree/Updates to get around Bug 2317 ?

CC: (none) => derekjenn
Whiteboard: mga1-32-OK => mga1-32-OK mga2-64-OK

Comment 5 claire robinson 2012-06-16 00:27:57 CEST 
Its when the update installs new dependencies Derek. It's also added suggests.

Depcheck says opera is ok though.
Comment 6 Derek Jennings 2012-06-16 01:09:28 CEST 
There is something not right here. Installing 64bit Opera installs a bunch of 32 bit dependencies. The 64 bit version of all these libraries is already installed.

# urpmi opera
To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch    
(medium "Nonfree Updates Testing (distrib15)")
  opera                          12.00        1.mga2.nonfr> x86_64  
(medium "Core 32bit Release (distrib31)")
  libice6                        1.0.8        1.mga2        i586    
  libsm6                         1.2.1        1.mga2        i586    
  libx11_6                       1.4.99.1     4.mga2        i586    
  libxau6                        1.0.7        1.mga2        i586    
  libxcb1                        1.8.1        1.mga2        i586    
  libxdmcp6                      1.1.1        1.mga2        i586    
  libxext6                       1.3.1        1.mga2        i586    
  libxt6                         1.1.2        2.mga2        i586    
45MB of additional disk space will be used.
14MB of packages will be retrieved.
Proceed with the installation of the 9 packages? (Y/n) y

Unvalidating for mga2-64 for the moment.

Whiteboard: mga1-32-OK mga2-64-OK => mga1-32-OK

Comment 7 Dave Hodgins 2012-06-16 01:42:12 CEST 
(In reply to comment #3)
> It is in nonfree/updates_testing, not core.

Yes.  I'd forgotten to enable Nonfree Updates Testing in my Mga 2 install.

Testing complete for Mageia 2 i586.

Whiteboard: mga1-32-OK => mga1-32-OK, mga2-32-OK

Comment 8 Dave Hodgins 2012-06-16 01:44:11 CEST 
(In reply to comment #6)
> There is something not right here. Installing 64bit Opera installs a bunch of
> 32 bit dependencies. The 64 bit version of all these libraries is already
> installed.

ftp://ftp.opera.com/pub/opera/linux/1200/

Opera does have 64 bit versions, so it shouldn't need 32 bit libraries.
Comment 9 Dave Hodgins 2012-06-16 01:48:47 CEST 
(In reply to comment #6)
> There is something not right here. Installing 64bit Opera installs a bunch of
> 32 bit dependencies. The 64 bit version of all these libraries is already
> installed.

Can you check to see if the Core Release version pulls in the 32 bit
libraries?  Opera may need those for compatibility with 32 bit plugins.

If the Core Release version also pulls them in, and opera:about in the
address bar shows 64 bit for the system, after installing the updates testing
version, then the bug should be revalidated for mga2-64.
Comment 10 Manuel Hiebel 2012-06-16 02:55:06 CEST 
I confirm comment 6 in mga1:

[root@vosdook ~]# LC_ALL=C urpmi --searchmedia "Nonfree Updates" opera
installing opera-11.64-1.mga1.nonfree.x86_64.rpm from /mnt/data/var/pub/1/x86_64/media/nonfree/updates
Preparing...                     #############################################
      1/1: opera                 #############################################
[root@vosdook ~]# LC_ALL=C urpmi --searchmedia "Nonfree Updates Testing" opera
To satisfy dependencies, the following packages are going to be installed:
   Package                        Version      Release       Arch   
(medium "Nonfree Updates Testing")
  opera                          12.00        1.mga1.nonfr> x86_64  
(medium "Core 32bit Release")
  libice6                        1.0.7        2.mga1        i586    
  libsm6                         1.2.0        2.mga1        i586    
  libx11_6                       1.4.3        1.mga1        i586    
  libxau6                        1.0.6        1.mga1        i586    
  libxcb1                        1.7          1.mga1        i586    
  libxdmcp6                      1.1.0        1.mga1        i586    
  libxext6                       1.2.0        2.mga1        i586    
  libxt6                         1.1.1        2.mga1        i586    
6.8MB of additional disk space will be used.
14MB of packages will be retrieved.
Proceed with the installation of the 9 packages? (Y/n)  

Was working fine before

CC: (none) => qa-bugs, sysadmin-bugs
Component: RPM Packages => Release (media or process)
Assignee: qa-bugs => anssi.hannula

Manuel Hiebel 2012-06-16 02:55:20 CEST

Component: Release (media or process) => Security

Comment 11 Manuel Hiebel 2012-06-16 02:55:59 CEST 
sorry :/

CC: sysadmin-bugs => (none)

Comment 12 Anssi Hannula 2012-06-16 09:43:26 CEST 
New packages have been submitted to nonfree/updates_testing with the requirement regression on x86_64 fixed:
opera-12.00-1.1.mga1.nonfree
opera-12.00-1.1.mga2.nonfree

Advisory is unchanged.
Anssi Hannula 2012-06-16 09:44:18 CEST

Assignee: anssi.hannula => qa-bugs

Comment 13 Derek Jennings 2012-06-16 11:35:40 CEST 
Thats better.  Thanks 
opera-12.00-1.1.mga2.nonfree
validated for mga2 x86_64

Whiteboard: mga1-32-OK, mga2-32-OK => mga1-32-OK, mga2-32-OK mga2-64-OK

Comment 14 claire robinson 2012-06-16 11:43:21 CEST 
Depcheck still says it's ok.

Testing x86_64 mga1
Comment 15 Luan Pham 2012-06-16 11:57:52 CEST 
Tested on i586 mga2 so far so go, and I also tested on x86_64 mga2 and it seem to work fine also.

CC: (none) => pham182b

Comment 16 claire robinson 2012-06-16 12:10:22 CEST 
Tested flash, java, email, checked libs

All seems ok x86_64 mga1

It should be rechecked on mga1 i586 before validating, removing that whiteboard keyword.

opera-12.00-1.1.mga1.nonfree
opera-12.00-1.1.mga2.nonfree

Whiteboard: mga1-32-OK, mga2-32-OK mga2-64-OK => mga2-32-OK mga2-64-OK mga1-64-OK

Comment 17 Dave Hodgins 2012-06-16 23:51:09 CEST 
Testing complete on Mageia 1 i586.  Validating the update.

Could someone from the sysadmin team push the srpm
opera-12.00-1.1.mga2.nonfree
from Mageia 2 Nonfree Updates Testing to Nonfree Updates and
push the srpm
opera-12.00-1.1.mga1.nonfree
from Mageia 1 Nonfree Updates Testing to Nonfree Updates.

Advisory: Opera 12.00 fixes several security and stability issues found
in previous versions and contains new and improved features.

Fixed an issue where hidden keyboard navigation could allow cross site
scripting or code execution, as reported by Jordi Chancel.
http://www.opera.com/support/kb/view/1021/

Fixed an issue where a combination of clicks and key presses could lead
to cross site scripting or code execution, as reported by Jordi Chancel.
http://www.opera.com/support/kb/view/1020/

Fixed an issue where cross-domain JSON resources may be exposed as
JavaScript variable data.
http://www.opera.com/support/kb/view/1019/

Fixed an issue where carefully timed reloads, redirects, and navigation
could spoof the address field, as reported by Jordi Chancel.
http://www.opera.com/support/kb/view/1018/

Fixed an issue where pages could prevent navigation to a target page,
spoofing the address field, as reported by Code Audit Labs of vulnhunt.com.
http://www.opera.com/support/kb/view/1022/

For a complete list of changes including the non-security fixes, see
http://www.opera.com/docs/changelogs/unix/1200/

https://bugs.mageia.org/show_bug.cgi?id=6465

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: mga2-32-OK mga2-64-OK mga1-64-OK => mga2-32-OK mga2-64-OK mga1-64-OK, mga1-32-OK

Comment 18 Thomas Backlund 2012-06-19 21:18:06 CEST 
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0121

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED