Re: Opera Browser Heap Overflow (Session Replay Attack)

[Petter Reinholdtsen <pere () opera com>]

A few comments to
<URL:http://www.securiteam.com/securitynews/5MP0B004UW.html>.

The crash is _not_ an unchecked buffer error in Opera 5.12.  It is a
mismatched new/delete[] pair in Opera 5.0 for Linux (and not 5.12 for
windows).

Also, there is no need for long reply lines.  The following reply from
the server will also crash Opera:

  HTTP/1.0 200 OK\r\n
  Connection: X\r\n
  X

As far as I can tell, the received reply is not written into any short
buffer, and it is not possible to format the reply in any way to get
code executed.

There is no security problem, just a plain old crash bug. :-)

Please update the "vulnerability" page as soon as possible.

Copy to the reporter and bugtraq for information.
-- 
##>  Petter Reinholdtsen <##    | pere () opera com