[21516] in bugtraq
Re: Opera Browser Heap Overflow (Session Replay Attack)
daemon@ATHENA.MIT.EDU (Petter Reinholdtsen)
Mon Jul 16 00:44:51 2001
To: comments@securiteam.com
Cc: msarica@bilgiteks.com, bugtraq@securifyfocus.com
From: Petter Reinholdtsen <pere@opera.com>
Message-Id: <E15KjZ6-0006f5-00@zoot>
Date: Thu, 12 Jul 2001 18:43:48 +0200
Resent-From: pere@mail.opera.no
Resent-To: bugtraq@securityfocus.com
A few comments to
<URL:http://www.securiteam.com/securitynews/5MP0B004UW.html>.
The crash is _not_ an unchecked buffer error in Opera 5.12. It is a
mismatched new/delete[] pair in Opera 5.0 for Linux (and not 5.12 for
windows).
Also, there is no need for long reply lines. The following reply from
the server will also crash Opera:
HTTP/1.0 200 OK\r\n
Connection: X\r\n
X
As far as I can tell, the received reply is not written into any short
buffer, and it is not possible to format the reply in any way to get
code executed.
There is no security problem, just a plain old crash bug. :-)
Please update the "vulnerability" page as soon as possible.
Copy to the reporter and bugtraq for information.
--
##> Petter Reinholdtsen <## | pere@opera.com
