Mandrake Linux Security Advisory : licq (MDKSA-2001:032-1)

High Nessus Plugin ID 61906


The remote Mandrake Linux host is missing one or more security updates.


Versions of Licq prior to 1.0.3 have a vulnerability involving the way Licq parses received URLs. The received URLs are passed to the web browser without any sanity checking by using the system() function.
Because of the lack of checks on the URL, remote attackers can pipe other commands with the sent URLs causing the client to unwillingly execute arbitrary commands. The URL parsing code has been fixed in the most recent 1.0.3 version.

Users of Linux-Mandrake 7.1 and Corporate Server 1.0.1 will have to manually remove the licq-data package by using 'rpm -e licq-data' prior to upgrading.

Update :

The Licq update for Linux-Mandrake 7.2 was built against the qt2 libraries available in MandrakeFreq. As such, the previously released Licq packages will be made available in MandrakeFreq and users of Linux-Mandrake 7.2 without MandrakeFreq or the 'unsupported' updates applied should use these new packages.


Update the affected packages.

Plugin Details

Severity: High

ID: 61906

File Name: mandrake_MDKSA-2001-032.nasl

Version: $Revision: 1.3 $

Type: local

Published: 2012/09/06

Modified: 2013/05/31

Dependencies: 12634

Risk Information

Risk Factor: High


Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: p-cpe:/a:mandriva:linux:licq, p-cpe:/a:mandriva:linux:licq-autoreply, p-cpe:/a:mandriva:linux:licq-console, p-cpe:/a:mandriva:linux:licq-devel, p-cpe:/a:mandriva:linux:licq-forwarder, p-cpe:/a:mandriva:linux:licq-rms, p-cpe:/a:mandriva:linux:licq-update-hosts, cpe:/o:mandrakesoft:mandrake_linux:7.2

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/Mandrake/release, Host/Mandrake/rpm-list

Patch Publication Date: 2001/03/23

Reference Information

CVE: CVE-2001-0439, CVE-2001-0440

MDKSA: 2001:032-1