Debian Security Advisory

xchat -- Command Execution Via URLs Vulnerability

Date Reported:
30 Aug 2000
Affected Packages:
Security database references:
No other external database security references currently available.
More information:
The version of X-Chat that was distributed with Debian GNU/Linux 2.2 has a vulnerability in the URL handling code: When a user clicks on a URL X-Chat will start netscape to view its target. However it did not check the URL for shell metacharacters, and this could be abused to trick xchat into executing arbitrary commands.

This has been fixed in version 1.4.3-0.1, and we recommend you upgrade your xchat package(s) immediately.

Update: The powerpc packages mentioned in the first release of this advisory were linked with a version of libgtk that is not available in Debian GNU/Linux 2.2. They have been recompiled with the correct version and re-uploaded.

Fixed in:

Debian GNU/Linux 2.2 (potato)

Architecture-independent component:
Intel ia32:
Motorola 680x0:
Sun Sparc: