- Package name
- Advisory ID
- Affected versions
- 7.0 i586
XChat 1.3.9 and later allow users to right-click on a URL appearing in an IRC discussion and select the "Open in Browser" option. To open the URL in a browser, XChat passes the command to /bin/sh. This allows a malicious URL the ability to execute arbitrary shell commands as the user that is running XChat. This update changes the functionality of XChat to bypass the shell and execute the browser directly. Thanks go to Red Hat for providing the patch. Update: XChat 1.2.1 is vulnerable as well, so an update for 7.0 is now available.
ebf0d4a0d236453f63a797ea20f0758b 7.0/RPMS/xchat-1.4.1-4mdk.i586.rpm d695396fb97a55c6c7e2cdbb22079c00 7.0/SRPMS/xchat-1.4.1-4mdk.src.rpm