A few comments to <URL:http://www.securiteam.com/securitynews/5MP0B004UW.html>. The crash is _not_ an unchecked buffer error in Opera 5.12. It is a mismatched new/delete[] pair in Opera 5.0 for Linux (and not 5.12 for windows). Also, there is no need for long reply lines. The following reply from the server will also crash Opera: HTTP/1.0 200 OK\r\n Connection: X\r\n X As far as I can tell, the received reply is not written into any short buffer, and it is not possible to format the reply in any way to get code executed. There is no security problem, just a plain old crash bug. :-) Please update the "vulnerability" page as soon as possible. Copy to the reporter and bugtraq for information. -- ##> Petter Reinholdtsen <## | pereat_private
This archive was generated by hypermail 2b30 : Sun Jul 15 2001 - 21:44:09 PDT