A few days ago we wrote about a crash in the Opera web browser that could lead to memory corruption and leave the browser open for arbitrary code to be executed. The bug was reported by Jordi Chancel on January 7th and revolves around an integer truncation error when handling a HTML “select” element containing an overly large number of children.
Shortly after publishing our post Opera Software left us a comment:
From Opera Software: The newest version of the Opera desktop browser released today, 11.01, contains a security fix for this bug. You can download Opera 11.01 from http://www.opera.com/browser/
According to the 11.01 change log, six security issues where fixed in the 11.01 release including “fixed an issue where large form inputs could allow execution of arbitrary code, as reported by Jordi Chancel”.
The advisory on Opera’s web site says that “when certain large form inputs appear on a web page, they can cause Opera to crash. In some cases, the crash can lead to memory corruption, which could be used to execute code. To inject code, additional techniques will have to be employed.” They also go on to thank Jordi Chancel for reporting the issue.
Opera 11 was released last month and introduced tab stacking, extensions, visual mouse gestures and most importantly, from a security point of view, a redesigned address field which displays a clear badge indicating the security level of the web site.