=====================================================================
                                    CERT-Renater

                         Note d'Information No. 2008/VULN112
_____________________________________________________________________

DATE                      : 04/04/2008

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Opera.

======================================================================
http://www.opera.com/support/search/view/882/
http://www.opera.com/docs/changelogs/linux/927/
______________________________________________________________________

Advisory:  Resized canvas patterns can cause Opera to execute
arbitrary code

Severity
Moderately Severe


Problem Description
HTML CANVAS elements can use scaled images as patterns. With suitable
scaling manipulation of the image, a script can cause Opera to crash.
This crash can sometimes cause memory corruption. To inject code,
additional techniques will have to be employed.


Opera's Response
Opera Software has released Opera 9.27 with a fix for this vulnerability.

Credits

Thanks to Michal Zalewski for reporting this issue to Opera Software.
______________________________________________________________________

Changelog for Opera 9.27 for Linux

Opera 9.27 for Linux is available for download.
Release Notes

This release is a recommended security and stability upgrade. See the
Security section for additional information.

Changes Since Opera 9.26

Security

     * Fixed an issue where newsfeed prompts could cause Opera to execute
       arbitrary code, as reported by Michal Zalewski. See our advisory.
     * Solved an issue where resized canvas patterns could cause Opera to
       execute arbitrary code, as reported by Michal Zalewski. See our
       advisory.
     * Improved keyboard handling of password inputs, as reported by
       Trystan S.

Miscellaneous

     * Fixed a BitTorrent transfer stability issue.
     * Resolved stablity issues with the Acid 3 test.
     * Additional stability fixes.

======================================================================

           =========================================================
           Les serveurs de référence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================