Security Information / 2000 / Security Information -- xchat

Debian Security Advisory

xchat -- Command Execution Via URLs Vulnerability

Date Reported:

30 Aug 2000

Affected Packages:

xchat

Vulnerable:

Yes

Security database references:

No other external database security references currently available.

More information:

The version of X-Chat that was distributed with Debian GNU/Linux 2.2 has a vulnerability in the URL handling code: When a user clicks on a URL X-Chat will start netscape to view its target. However it did not check the URL for shell metacharacters, and this could be abused to trick xchat into executing arbitrary commands.

This has been fixed in version 1.4.3-0.1, and we recommend you upgrade your xchat package(s) immediately.

Update: The powerpc packages mentioned in the first release of this advisory were linked with a version of libgtk that is not available in Debian GNU/Linux 2.2. They have been recompiled with the correct version and re-uploaded.

Fixed in:

Debian GNU/Linux 2.2 (potato)

Source:

http://security.debian.org/dists/stable/updates/main/source/xchat_1.4.3-0.1.diff.gz

http://security.debian.org/dists/stable/updates/main/source/xchat_1.4.3-0.1.dsc

http://security.debian.org/dists/stable/updates/main/source/xchat_1.4.3.orig.tar.gz

Architecture-independent component:

http://security.debian.org/dists/stable/updates/main/binary-all/xchat-common_1.4.3-0.1_all.deb

Alpha:

http://security.debian.org/dists/stable/updates/main/binary-alpha/xchat-gnome_1.4.3-0.1_alpha.deb

http://security.debian.org/dists/stable/updates/main/binary-alpha/xchat-text_1.4.3-0.1_alpha.deb

http://security.debian.org/dists/stable/updates/main/binary-alpha/xchat_1.4.3-0.1_alpha.deb

ARM:

http://security.debian.org/dists/stable/updates/main/binary-arm/xchat-gnome_1.4.3-0.1_arm.deb

http://security.debian.org/dists/stable/updates/main/binary-arm/xchat-text_1.4.3-0.1_arm.deb

http://security.debian.org/dists/stable/updates/main/binary-arm/xchat_1.4.3-0.1_arm.deb

Intel ia32:

http://security.debian.org/dists/stable/updates/main/binary-i386/xchat-gnome_1.4.3-0.1_i386.deb

http://security.debian.org/dists/stable/updates/main/binary-i386/xchat-text_1.4.3-0.1_i386.deb

http://security.debian.org/dists/stable/updates/main/binary-i386/xchat_1.4.3-0.1_i386.deb

Motorola 680x0:

http://security.debian.org/dists/stable/updates/main/binary-m68k/xchat-gnome_1.4.3-0.1_m68k.deb

http://security.debian.org/dists/stable/updates/main/binary-m68k/xchat-text_1.4.3-0.1_m68k.deb

http://security.debian.org/dists/stable/updates/main/binary-m68k/xchat_1.4.3-0.1_m68k.deb

PowerPC:

http://security.debian.org/dists/stable/updates/main/binary-powerpc/xchat-gnome_1.4.3-0.1_powerpc.deb

http://security.debian.org/dists/stable/updates/main/binary-powerpc/xchat-text_1.4.3-0.1_powerpc.deb

http://security.debian.org/dists/stable/updates/main/binary-powerpc/xchat_1.4.3-0.1_powerpc.deb

Sun Sparc:

http://security.debian.org/dists/stable/updates/main/binary-sparc/xchat-gnome_1.4.3-0.1_sparc.deb

http://security.debian.org/dists/stable/updates/main/binary-sparc/xchat-text_1.4.3-0.1_sparc.deb

http://security.debian.org/dists/stable/updates/main/binary-sparc/xchat_1.4.3-0.1_sparc.deb