[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[linux-security] xchat allows execution of arbitrary code

To: linux-security
Subject: [linux-security] xchat allows execution of arbitrary code
From: Martin Siegert <siegert@sfu.ca>
Date: Tue, 4 Jun 2002 18:41:58 -0700
User-Agent: Mutt/1.2.5.1i

Topic
=====
A security issue in XChat allows a malicious server to execute arbitrary
commands.

Problem Description
===================
XChat is a popular cross-platform IRC client.

Versions of XChat prior to 1.8.9 do not filter the response from an IRC
server when a /dns query is executed. Because XChat resolves hostnames by
passing the configured resolver and hostname to a shell, an IRC server may
return a maliciously formatted response that executes arbitrary commands
with the privileges of the user running XChat.

Affected Systems
================
xchat versions < 1.8.9

Solution
========
upgrade to version 1.8.9

RedHat 6.x
----------
rpm -Fvh xchat-1.8.9-1.62.0.i386.rpm

RedHat 7.0
----------
rpm -Fvh xchat-1.8.9-1.70.0.i386.rpm

RedHat 7.1
----------
rpm -Fvh xchat-1.8.9-1.71.0.i386.rpm

RedHat 7.2
----------
rpm -Fvh xchat-1.8.9-1.72.0.i386.rpm

RedHat 7.3
----------
rpm -Fvh xchat-1.8.9-1.73.0.i386.rpm

Prev by Date: [linux-security] ghostscript allows execution of arbitrary code
Next by Date: [linux-security] dhcp remote exploit
Prev by thread: [linux-security] dhcp remote exploit
Next by thread: [linux-security] ghostscript allows execution of arbitrary code
Index(es):
- Date
- Thread