Mandrake Linux Security Advisory : licq (MDKSA-2001:032-1)
High Nessus Plugin ID 61906
SynopsisThe remote Mandrake Linux host is missing one or more security updates.
DescriptionVersions of Licq prior to 1.0.3 have a vulnerability involving the way Licq parses received URLs. The received URLs are passed to the web browser without any sanity checking by using the system() function.
Because of the lack of checks on the URL, remote attackers can pipe other commands with the sent URLs causing the client to unwillingly execute arbitrary commands. The URL parsing code has been fixed in the most recent 1.0.3 version.
Users of Linux-Mandrake 7.1 and Corporate Server 1.0.1 will have to manually remove the licq-data package by using 'rpm -e licq-data' prior to upgrading.
The Licq update for Linux-Mandrake 7.2 was built against the qt2 libraries available in MandrakeFreq. As such, the previously released Licq packages will be made available in MandrakeFreq and users of Linux-Mandrake 7.2 without MandrakeFreq or the 'unsupported' updates applied should use these new packages.
SolutionUpdate the affected packages.