Ubuntu
centerim package

[CVE-2008-1467] remote command execution via crafted URL

Bug #212088 reported by William Grant
258
Affects Status Importance Assigned to Milestone
centericq (Ubuntu)
Invalid
Undecided
Unassigned
Dapper
Won't Fix
Undecided
Unassigned
Edgy
Won't Fix
Undecided
Unassigned
Feisty
Won't Fix
Undecided
Unassigned
Gutsy
Invalid
Undecided
Unassigned
Hardy
Invalid
Undecided
Unassigned
centerim (Debian)
Fix Released
Unknown
centerim (Ubuntu)
Fix Released
Undecided
William Grant
Dapper
Invalid
Undecided
Unassigned
Edgy
Invalid
Undecided
Unassigned
Feisty
Invalid
Undecided
Unassigned
Gutsy
Won't Fix
Undecided
Unassigned
Hardy
Fix Released
Undecided
William Grant

Bug Description

Binary package hint: centerim

"** DISPUTED ** CenterIM 4.22.3 and earlier allows user-assisted remote attackers to execute arbitrary commands via shell metacharacters in a URI, related to "received URLs in the message window." NOTE: this issue has been disputed due to the user-assisted nature, since the URL must be selected and launched by the victim."

It's still not good, even though it's user-assisted.

Related branches

lp:ubuntu/karmic/centerim

CVE References

William Grant (wgrant)
Changed in centerim:
assignee: nobody → fujitsu
status: New → In Progress
status: New → Invalid
status: New → Invalid
status: New → Invalid
Changed in centericq:
status: New → Invalid
status: New → Invalid
Revision history for this message
William Grant (wgrant) wrote :

Patch at http://repo.or.cz/w/centerim.git?a=blobdiff_plain;f=src/icqconf.cc;fp=src/icqconf.cc;hb=b28c6deaef58eb685a2d747b28b6a572122730d4;hpb=ad6ad53ebf791f97cb7337dc79ab2ce8ccb1246f.

Revision history for this message
William Grant (wgrant) wrote :

All versions down to Dapper are affected. I suspect the same patch should apply to all.

Changed in centericq:
status: New → Confirmed
status: New → Confirmed
status: New → Confirmed
Changed in centerim:
status: New → Confirmed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package centerim - 4.22.2-1ubuntu2

---------------
centerim (4.22.2-1ubuntu2) hardy; urgency=low

  * SECURITY UPDATE: user-assisted arbitrary code execution via crafted URL.
    (LP: #212088)
    - debian/patches/CVE-2008-1467.dpatch: Ensure that the URL is properly
      quoted before launching the browser. Patch from upstream.
    - References:
      + CVE-2008-1467

 -- William Grant <email address hidden> Sat, 05 Apr 2008 16:56:52 +1100

Changed in centerim:
status: In Progress → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in centerim:
status: Unknown → Fix Released
Revision history for this message
Hew (hew) wrote :

Ubuntu Edgy Eft is no longer supported, so a SRU will not be issued for this release. Marking Edgy as Won't Fix.

Changed in centericq:
status: Confirmed → Won't Fix
Revision history for this message
Hew (hew) wrote :

Ubuntu Feisty Fawn is no longer supported, so a SRU will not be issued for this release. Marking Feisty as Won't Fix.

Changed in centericq:
status: Confirmed → Won't Fix
Revision history for this message
Sergio Zanchetta (primes2h) wrote :

The 18 month support period for Gutsy Gibbon 7.10 has reached its end of life -
http://www.ubuntu.com/news/ubuntu-7.10-eol . As a result, we are closing the
Gutsy task.

Changed in centerim (Ubuntu Gutsy):
status: Confirmed → Won't Fix
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. dapper has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against dapper is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Changed in centericq (Ubuntu Dapper):
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.