FreeBSD Security Advisories
2000-Sep-13 13:34 UTC
FreeBSD Ports Security Advisory: FreeBSD-SA-00:48.xchat
-----BEGIN PGP SIGNED MESSAGE----- ============================================================================FreeBSD-SA-00:48 Security Advisory FreeBSD, Inc. Topic: xchat port inappropriately handles URLs Category: ports Module: xchat, xchat-devel Announced: 2000-09-13 Affects: Ports collection. Corrected: 2000-08-27 Vendor status: Updated version released FreeBSD only: NO I. Background Xchat is a popular graphical IRC client. II. Problem Description The xchat IRC client provides the ability to launch URLs displayed in an IRC window in a web browser by right clicking on the URL. However this was handled incorrectly in versions prior to 1.4.3, and prior to 1.5.7 in the 1.5 development series, and allowed a malicious IRC user to embed command strings in a URL which could cause an arbitrary command to be executed as the local user if the URL were to be "launched" in a browser as described above. The xchat port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains over 3800 third-party applications in a ready-to-install format. The ports collections shipped with FreeBSD 4.0 and 3.5.1 contain this problem since it was discovered after the release. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact Remote IRC users can cause an arbitrary command to be executed by the local user, if they attempt to launch a malformed URL by right clicking on it. If you have not chosen to install the xchat or xchat-devel ports/packages, then your system is not vulnerable to this problem. IV. Workaround Do not attempt to launch URLs which contain the ` (backtick) character. V. Solution One of the following: 1) Upgrade your entire ports collection and rebuild the xchat or xchat-devel port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/irc/xchat-1.4.3.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/irc/xchat-1.4.3.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/irc/xchat-1.4.3.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/irc/xchat-1.4.3.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/irc/xchat-1.4.3.tgz 3) download a new port skeleton for the xchat port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOb/kBlUuHi5z0oilAQEoEgP+Lso/K6rgAVDeWfsfean7fmKVX1ViID0j LUGlnLGohzSRC14W+21NIfChc0yl9gMmJRgkNHRLPkuyQBmdp8iHBsQlejjeq2PH ZqSF6++V3YBqm4H7EgfaNKTk3wn0l/8w+dw3l9iMxmcS8P1oxo4lq04Ufao/N8TS iCWpAmNQI44=0uMP -----END PGP SIGNATURE----- This is the moderated mailing list freebsd-announce. The list contains announcements of new FreeBSD capabilities, important events and project milestones. See also the FreeBSD Web pages at http://www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-announce" in the body of the message