Ubuntu
kvirc package

KVIrc security issue with releases >= 3.2.0 (Dapper - Gutsy)

Bug #123595 reported by Rich Johnson on 2007-07-02

This bug report is a duplicate of: Bug #123037: KVIrc irc:// URI Handler Command Execution Vulnerability. Edit Remove

256

Affects		Status	Importance	Assigned to	Milestone
	kvirc (Ubuntu)	Fix Released	High	Rich Johnson
	Dapper	Fix Released	High	Rich Johnson
	Edgy	Fix Released	High	Rich Johnson
	Feisty	Fix Released	High	Rich Johnson
	Gutsy	Fix Released	High	Rich Johnson

Bug Description

Binary package hint: kvirc

KVIrc Website News Announcement:
http://www.kvirc.net/?id=news&story=2007.06.29.22.00.1.story&dir=latest

Secunia Advisory:
http://secunia.com/secunia_research/2007-56/advisory/

CVE List:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2951

This issue effects all of the releases in the 3.2.x branch (from Dapper to Gutsy).

Description taken from Secunia:
---------------------------------------
Secunia Research has discovered a vulnerability in KVIrc, which can be
exploited by malicious people to compromise a user's system.

The vulnerability is caused due to the "parseIrcUrl()" function in
src/kvirc/kernel/kvi_ircurl.cpp not properly sanitising parts of the
URI when building the command for KVIrc's internal script system. This
can be exploited to inject and execute commands for the KVIrc script
system (including the "run" command, which can be leveraged to execute
shell commands) by e.g. tricking a user into opening a specially
crafted "irc://" or similar URI (e.g. "irc6://").

Successful exploitation requires that KVIrc is the default handler for
"irc://" and similar URIs.

Revision history for this message

Rich Johnson (nixternal) wrote on 2007-07-02:

#1

kvirc_dapper_security_fix.debdiff Edit (2.4 KiB, text/plain)

Revision history for this message

Rich Johnson (nixternal) wrote on 2007-07-02:

#2

kvirc_edgy_security_fix.debdiff Edit (2.4 KiB, text/plain)

Revision history for this message

Rich Johnson (nixternal) wrote on 2007-07-02:

#3

kvirc_feisty_security_fix.debdiff Edit (2.4 KiB, text/plain)

Revision history for this message

Rich Johnson (nixternal) wrote on 2007-07-02:

#4

kvirc_gutsy_security_fix.debdiff Edit (2.4 KiB, text/plain)

Revision history for this message

Rich Johnson (nixternal) wrote on 2007-07-02:

#5

NOTE: I added the Debian Maintainer Field information per the spec in order to properly build the source package.

William Grant (wgrant) on 2007-07-03

Changed in kvirc:
assignee:	nobody → nixternal
importance:	Undecided → High
status:	New → Confirmed
assignee:	nobody → nixternal
importance:	Undecided → High
status:	New → Confirmed
assignee:	nobody → nixternal
importance:	Undecided → High
status:	New → Confirmed
assignee:	nobody → nixternal
importance:	Undecided → Medium
status:	New → Confirmed
importance:	Medium → High

Revision history for this message

Kees Cook (kees) wrote on 2007-07-03:

#6

Since this bug had all the subtasks, I made it the master for the dups. Thanks for getting this all ready!

Changed in kvirc:
status:	Confirmed → Fix Committed
status:	Confirmed → Fix Committed
status:	Confirmed → Fix Committed
status:	Confirmed → Fix Committed

Kees Cook (kees) on 2007-07-04

Changed in kvirc:
status:	Fix Committed → Fix Released
status:	Fix Committed → Fix Released
status:	Fix Committed → Fix Released

Kees Cook (kees) on 2007-07-04

Changed in kvirc:
status:	Fix Released → Fix Committed

Kees Cook (kees) on 2007-07-04

Changed in kvirc:
status:	Fix Committed → Fix Released
status:	Fix Committed → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

Duplicate of bug #123037 Remove

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

Add patch

Remote bug watches

Bug watches keep track of this bug in other bug trackers.