Mandrake Linux Security Advisory : licq (MDKSA-2001:032-1)

high Nessus Plugin ID 61906

Synopsis

The remote Mandrake Linux host is missing one or more security updates.

Description

Versions of Licq prior to 1.0.3 have a vulnerability involving the way Licq parses received URLs. The received URLs are passed to the web browser without any sanity checking by using the system() function.
Because of the lack of checks on the URL, remote attackers can pipe other commands with the sent URLs causing the client to unwillingly execute arbitrary commands. The URL parsing code has been fixed in the most recent 1.0.3 version.

Users of Linux-Mandrake 7.1 and Corporate Server 1.0.1 will have to manually remove the licq-data package by using 'rpm -e licq-data' prior to upgrading.

Update :

The Licq update for Linux-Mandrake 7.2 was built against the qt2 libraries available in MandrakeFreq. As such, the previously released Licq packages will be made available in MandrakeFreq and users of Linux-Mandrake 7.2 without MandrakeFreq or the 'unsupported' updates applied should use these new packages.

Solution

Update the affected packages.

Plugin Details

Severity: High

ID: 61906

File Name: mandrake_MDKSA-2001-032.nasl

Version: 1.6

Type: local

Published: 9/6/2012

Updated: 1/6/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.6

CVSS v2

Risk Factor: High

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: p-cpe:/a:mandriva:linux:licq, p-cpe:/a:mandriva:linux:licq-autoreply, p-cpe:/a:mandriva:linux:licq-console, p-cpe:/a:mandriva:linux:licq-devel, p-cpe:/a:mandriva:linux:licq-forwarder, p-cpe:/a:mandriva:linux:licq-rms, p-cpe:/a:mandriva:linux:licq-update-hosts, cpe:/o:mandrakesoft:mandrake_linux:7.2

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/Mandrake/release, Host/Mandrake/rpm-list

Patch Publication Date: 3/23/2001

Reference Information

CVE: CVE-2001-0439, CVE-2001-0440

MDKSA: 2001:032-1