Re: [Licq-devel] [security@LINUX-MANDRAKE.COM: MDKSA-2001:032-1 - licq update]

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

> This was an issue?

Only for stupid people who don't check urls before running them.  Since
there are a lot of stupid people out there, a fix was added in 1.0.3.

>
> ----- Forwarded message from Linux Mandrake Security Team <security@LINUX-MANDRAKE.COM> -----
>
> Delivered-To: jon@EMOSTAR.DYNDNS.ORG
> Approved-By: aleph1@SECURITYFOCUS.COM
> Delivered-To: bu...@li...
> Delivered-To: bu...@se...
> Mail-Followup-To: Linux Mandrake Security Announcements
>                   <sec...@li...>,
>                   Linux Mandrake Security
>                   <mdk...@li...>,
>                   Bugtraq <bu...@se...>,
>                   Linux Security List <lin...@se...>
> User-Agent: Mutt/1.3.15i
> Date:         Fri, 23 Mar 2001 19:18:28 -0700
> Reply-To: Linux Mandrake Security Team <security@LINUX-MANDRAKE.COM>
> From: Linux Mandrake Security Team <security@LINUX-MANDRAKE.COM>
> Subject:      MDKSA-2001:032-1 - licq update
> X-To:         Linux Mandrake Security Announcements
>               <sec...@li...>
> X-cc:         Linux Mandrake Security <mdk...@li...>,
>               Linux Security List <lin...@se...>
> To: BUGTRAQ@SECURITYFOCUS.COM
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> ________________________________________________________________________
>
>                 Linux-Mandrake Security Update Advisory
> ________________________________________________________________________
>
> Package name:           licq
> Date:                   March 23rd, 2001
> Original Advisory Date: March 20th, 2001
> Advisory ID:            MDKSA-2001:032-1
>
> Affected versions:      7.1, 7.2, Corporate Server 1.0.1
> ________________________________________________________________________
>
> Problem Description:
>
>  Versions of Licq prior to 1.0.3 have a vulnerability involving the way
>  Licq parses received URLs.  The received URLs are passed to the web
>  browser without any sanity checking by using the system() function.
>  Because of the lack of checks on the URL, remote attackers can pipe
>  other commands with the sent URLs causing the client to unwillingly
>  execute arbitrary commands.  The URL parsing code has been fixed in
>  the most recent 1.0.3 version.
>
>  Users of Linux-Mandrake 7.1 and Corporate Server 1.0.1 will have to
>  manually remove the licq-data package by using "rpm -e licq-data" prior
>  to upgrading.
>
> Update:
>
>  The Licq update for Linux-Mandrake 7.2 was built against the qt2
>  libraries available in MandrakeFreq.  As such, the previously released
>  Licq packages will be made available in MandrakeFreq and users of
>  Linux-Mandrake 7.2 without MandrakeFreq or the "unsupported" updates
>  applied should use these new packages.
> ________________________________________________________________________
>
> Please verify the update prior to upgrading to ensure the integrity of
> the downloaded package.  You can do this with the command:
>   rpm --checksig package.rpm
> You can get the GPG public key of the Linux-Mandrake Security Team at
>   http://www.linux-mandrake.com/en/security/RPM-GPG-KEYS
> If you use MandrakeUpdate, the verification of md5 checksum and GPG
> signature is performed automatically for you.
>
> Linux-Mandrake 7.1:
> f2d0e9e399834b4018d306ec32c2c616  7.1/RPMS/licq-1.0.3-2.2mdk.i586.rpm
> 30bdd5a1b0402e0bf8773089cfadb4ed  7.1/RPMS/licq-autoreply-1.0.3-2.2mdk.i586.rpm
> c489c68d5ef4348ec278ea4f13285cc4  7.1/RPMS/licq-console-1.0.3-2.2mdk.i586.rpm
> 4b574c6f7e5822551a4028cbfc299de3  7.1/RPMS/licq-devel-1.0.3-2.2mdk.i586.rpm
> 47a0f6c31795c75f7edc26674c0e9891  7.1/RPMS/licq-forwarder-1.0.3-2.2mdk.i586.rpm
> 1b08d1774855a97ad2551d88625e55eb  7.1/RPMS/licq-gtk-0.50.1-3.3mdk.i586.rpm
> f5a166cdc473298ff39a9d3d5d45fbfe  7.1/RPMS/licq-rms-1.0.3-2.2mdk.i586.rpm
> 8bb8f5d7809ecd40c0365261dc5f15ae  7.1/RPMS/licq-update-hosts-1.0.3-2.2mdk.i586.rpm
> 5698c01aa71559c101c097d5c27c0b51  7.1/SRPMS/licq-1.0.3-2.2mdk.src.rpm
> e8f21170c7456b8bd2178219afa98355  7.1/SRPMS/licq-gtk-0.50.1-3.3mdk.src.rpm
>
> Linux-Mandrake 7.2:
> fe66ebd7210b2ee8a5474640e98caef7  7.2/RPMS/licq-1.0.3-2.3mdk.i586.rpm
> 34a0a105bbfea233f3af7ca041ac7344  7.2/RPMS/licq-autoreply-1.0.3-2.3mdk.i586.rpm
> 97b844e166830647df7263c904e3e22b  7.2/RPMS/licq-console-1.0.3-2.3mdk.i586.rpm
> 69599cbd57b69d962ea3d01d8f599796  7.2/RPMS/licq-devel-1.0.3-2.3mdk.i586.rpm
> 3593d53adb66ccdfe4deed0d78f5d465  7.2/RPMS/licq-forwarder-1.0.3-2.3mdk.i586.rpm
> 388637f969eefc830f5d294ebd853e46  7.2/RPMS/licq-rms-1.0.3-2.3mdk.i586.rpm
> 930744f996467b20e253ab33a401ac4b  7.2/RPMS/licq-update-hosts-1.0.3-2.3mdk.i586.rpm
> ae4fbacd9312202e451fd16d86f4cc22  7.2/SRPMS/licq-1.0.3-2.3mdk.src.rpm
>
> Corporate Server 1.0.1:
> f2d0e9e399834b4018d306ec32c2c616  1.0.1/RPMS/licq-1.0.3-2.2mdk.i586.rpm
> 30bdd5a1b0402e0bf8773089cfadb4ed  1.0.1/RPMS/licq-autoreply-1.0.3-2.2mdk.i586.rpm
> c489c68d5ef4348ec278ea4f13285cc4  1.0.1/RPMS/licq-console-1.0.3-2.2mdk.i586.rpm
> 4b574c6f7e5822551a4028cbfc299de3  1.0.1/RPMS/licq-devel-1.0.3-2.2mdk.i586.rpm
> 47a0f6c31795c75f7edc26674c0e9891  1.0.1/RPMS/licq-forwarder-1.0.3-2.2mdk.i586.rpm
> 1b08d1774855a97ad2551d88625e55eb  1.0.1/RPMS/licq-gtk-0.50.1-3.3mdk.i586.rpm
> f5a166cdc473298ff39a9d3d5d45fbfe  1.0.1/RPMS/licq-rms-1.0.3-2.2mdk.i586.rpm
> 8bb8f5d7809ecd40c0365261dc5f15ae  1.0.1/RPMS/licq-update-hosts-1.0.3-2.2mdk.i586.rpm
> 5698c01aa71559c101c097d5c27c0b51  1.0.1/SRPMS/licq-1.0.3-2.2mdk.src.rpm
> e8f21170c7456b8bd2178219afa98355  1.0.1/SRPMS/licq-gtk-0.50.1-3.3mdk.src.rpm
> ________________________________________________________________________
>
> To upgrade automatically, use MandrakeUpdate.
>
> If you want to upgrade manually, download the updated package from one
> of our FTP server mirrors and upgrade with "rpm -Fvh *.rpm".
>
> You can download the updates directly from one of the mirror sites
> listed at:
>
>   http://www.linux-mandrake.com/en/ftp.php3.
>
> Updated packages are available in the "updates/[ver]/RPMS/" directory.
> For example, if you are looking for an updated RPM package for
> Linux-Mandrake 7.2, look for it in "updates/7.2/RPMS/".  Updated source
> RPMs are available as well, but you generally do not need to download
> them.
>
> Please be aware that sometimes it takes the mirrors a few hours to
> update.
>
> You can view other security advisories for Linux-Mandrake at:
>
>   http://www.linux-mandrake.com/en/security/
>
> If you want to report vulnerabilities, please contact
>
>   sec...@li...
> ________________________________________________________________________
>
> Linux-Mandrake has two security-related mailing list services that
> anyone can subscribe to:
>
> sec...@li...
>
>   Linux-Mandrake's security announcements mailing list.  Only
>   announcements are sent to this list and it is read-only.
>
> sec...@li...
>
>   Linux-Mandrake's security discussion mailing list.  This list is open
>   to anyone to discuss Linux-Mandrake security specifically and Linux
>   security in general.
>
> To subscribe to either list, send a message to
>   sy...@li...
> with "subscribe [listname]" in the body of the message.
>
> To remove yourself from either list, send a message to
>   sy...@li...
> with "unsubscribe [listname]" in the body of the message.
>
> To get more information on either list, send a message to
>   sy...@li...
> with "info [listname]" in the body of the message.
>
> Optionally, you can use the web interface to subscribe to or unsubscribe
> from either list:
>
>   http://www.linux-mandrake.com/en/flists.php3#security
> ________________________________________________________________________
>
> Type Bits/KeyID     Date       User ID
> pub  1024D/22458A98 2000-07-10 Linux Mandrake Security Team
>   <sec...@li...>
>
>
> - -----BEGIN PGP PUBLIC KEY BLOCK-----
> Version: GnuPG v1.0.1 (GNU/Linux)
> Comment: For info see http://www.gnupg.org
>
> mQGiBDlp594RBAC2tDozI3ZgQsE7XwxurJCJrX0L5vx7SDByR5GHDdWekGhdiday
> L4nfUax+SeR9SCoCgTgPW1xB8vtQc8/sinJlMjp9197a2iKM0FOcPlkpa3HcOdt7
> WKJqQhlMrHvRcsivzcgqjH44GBBJIT6sygUF8k0lU6YnMHj5MPc/NGWt8wCg9vKo
> P0l5QVAFSsHtqcU9W8cc7wMEAJzQsAlnvPXDBfBLEH6u7ptWFdp0GvbSuG2wRaPl
> hynHvRiE01ZvwbJZXsPsKm1z7uVoW+NknKLunWKB5axrNXDHxCYJBzY3jTeFjsqx
> PFZkIEAQphLTkeXXelAjQ5u9tEshPswEtMvJvUgNiAfbzHfPYmq8D6x5xOw1IySg
> 2e/LBACxr2UJYCCB2BZ3p508mAB0RpuLGukq+7UWiOizy+kSskIBg2O7sQkVY/Cs
> iyGEo4XvXqZFMY39RBdfm2GY+WB/5NFiTOYJRKjfprP6K1YbtsmctsX8dG+foKsD
> LLFs7OuVfaydLQYp1iiN6D+LJDSMPM8/LCWzZsgr9EKJ8NXiyrQ6TGludXggTWFu
> ZHJha2UgU2VjdXJpdHkgVGVhbSA8c2VjdXJpdHlAbGludXgtbWFuZHJha2UuY29t
> PohWBBMRAgAWBQI5aefeBAsKBAMDFQMCAxYCAQIXgAAKCRCaqNDQIkWKmK6LAKCy
> /NInDsaMSI+WHwrquwC5PZrcnQCeI+v3gUDsNfQfiKBvQSANu1hdulq5AQ0EOWnn
> 7xAEAOQlTVY4TiNo5V/iP0J1xnqjqlqZsU7yEBKo/gZz6/+hx75RURe1ebiJ9F77
> 9FQbpJ9Epz1KLSXvq974rnVb813zuGdmgFyk+ryA/rTR2RQ8h+EoNkwmATzRxBXV
> Jb57fFQjxOu4eNjZAtfII/YXb0uyXXrdr5dlJ/3eXrcO4p0XAAMFBACCxo6Z269s
> +A4v8C6Ui12aarOQcCDlV8cVG9LkyatU3FNTlnasqwo6EkaP572448weJWwN6SCX
> Vl+xOYLiK0hL/6Jb/O9Agw75yUVdk+RMM2I4fNEi+y4hmfMh2siBv8yEkEvZjTcl
> 3TpkTfzYky85tu433wmKaLFOv0WjBFSikohGBBgRAgAGBQI5aefvAAoJEJqo0NAi
> RYqYid0AoJgeWzXrEdIClBOSW5Q6FzqJJyaqAKC0Y9YI3UFlE4zSIGjcFlLJEJGX
> lA==
> =WxWn
> - -----END PGP PUBLIC KEY BLOCK-----
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.4 (GNU/Linux)
> Comment: For info see http://www.gnupg.org
>
> iD8DBQE6u422mqjQ0CJFipgRArTAAKCXZqDuWHhBOOSqRZI+EHmhtPN+UwCePOlv
> RPRYB9AgQYkJQ0pmGVciDnQ=
> =yack
> -----END PGP SIGNATURE-----
>
> ----- End forwarded message -----
>
> _______________________________________________
> Licq-devel mailing list
> Lic...@li...
> http://lists.sourceforge.net/lists/listinfo/licq-devel
>

_____________________________________________________________________
Graham Roff                         gr...@li...
University of Waterloo              ICQ #2127503
Computer Engineering                Canada

Nolites tes bastardes carborundorum