Mandrake Linux Security Advisory : licq (MDKSA-2001:032-1)

This script is Copyright (C) 2012-2013 Tenable Network Security, Inc.


Synopsis :

The remote Mandrake Linux host is missing one or more security
updates.

Description :

Versions of Licq prior to 1.0.3 have a vulnerability involving the way
Licq parses received URLs. The received URLs are passed to the web
browser without any sanity checking by using the system() function.
Because of the lack of checks on the URL, remote attackers can pipe
other commands with the sent URLs causing the client to unwillingly
execute arbitrary commands. The URL parsing code has been fixed in the
most recent 1.0.3 version.

Users of Linux-Mandrake 7.1 and Corporate Server 1.0.1 will have to
manually remove the licq-data package by using 'rpm -e licq-data'
prior to upgrading.

Update :

The Licq update for Linux-Mandrake 7.2 was built against the qt2
libraries available in MandrakeFreq. As such, the previously released
Licq packages will be made available in MandrakeFreq and users of
Linux-Mandrake 7.2 without MandrakeFreq or the 'unsupported' updates
applied should use these new packages.

Solution :

Update the affected packages.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)

Family: Mandriva Local Security Checks

Nessus Plugin ID: 61906 ()

Bugtraq ID:

CVE ID: CVE-2001-0439
CVE-2001-0440

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now