Home > Security > Advisories


Mandriva Advisories

Package name xchat
Date January 17th, 2002
Advisory ID MDKSA-2002:006
Affected versions 7.1, 7.2, 8.0, 8.1, CS1.0
Synopsis Updated xchat packages fix CTCP vulnerability

Problem Description

zen-parse discovered a problem in versions 1.4.2 and 1.4.3 of xchat
that could allow a malicious user to send commands to the IRC server
they are on which would take advantage of the CTCP PING reply handler
in xchat. This could be used for denial of service, channel takeovers,
and other similar attacks. The problem exists in 1.6 and 1.8 versions,
however it is controlled by the "percascii" variable which defaults to
0. It "percascii" is set to 1, the problem is exploitable. This
vulnerability has been fixed upstream in version 1.8.7.

Updated Packages

Mandrakelinux 7.1

 27fa0b00644a3d6ebb11b668bf6f1e8e  7.1/RPMS/xchat-1.8.7-1.3mdk.i586.rpm
e65886af7b35ddc185e14df38213c8c4  7.1/SRPMS/xchat-1.8.7-1.3mdk.src.rpm

Mandrakelinux 7.2

 c014496faa8a5889a00b545612bc66de  7.2/RPMS/xchat-1.8.7-1.2mdk.i586.rpm
c7a219059a88152e634b9cb36a1cee0f  7.2/SRPMS/xchat-1.8.7-1.2mdk.src.rpm

Mandrakelinux 8.0

 54e0b792297002e075a775ff66b47184  8.0/RPMS/xchat-1.8.7-1.1mdk.i586.rpm
6a55c811c3795de0f38c4f3e946edecf  8.0/SRPMS/xchat-1.8.7-1.1mdk.src.rpm

Mandrakelinux 8.0/PPC

 0fb9eb64dc80e07e8ddb25bad8adb8fc  ppc/8.0/RPMS/xchat-1.8.7-1.1mdk.ppc.rpm
6a55c811c3795de0f38c4f3e946edecf  ppc/8.0/SRPMS/xchat-1.8.7-1.1mdk.src.rpm

Mandrakelinux 8.1

 d9c2e6756586964aceceb3b23fd0bb38  8.1/RPMS/xchat-1.8.7-1.1mdk.i586.rpm
6a55c811c3795de0f38c4f3e946edecf  8.1/SRPMS/xchat-1.8.7-1.1mdk.src.rpm

Mandrakelinux 8.1/IA64

 b96628062c40d86765ef77fa051fcb86  ia64/8.1/RPMS/xchat-1.8.7-1.1mdk.ia64.rpm
6a55c811c3795de0f38c4f3e946edecf  ia64/8.1/SRPMS/xchat-1.8.7-1.1mdk.src.rpm

Corporate Server 1.0.1

 27fa0b00644a3d6ebb11b668bf6f1e8e  1.0.1/RPMS/xchat-1.8.7-1.3mdk.i586.rpm
e65886af7b35ddc185e14df38213c8c4  1.0.1/SRPMS/xchat-1.8.7-1.3mdk.src.rpm


To upgrade automatically, use MandrivaUpdate.


Please verify the update prior to upgrading to ensure the integrity of the downloaded package. You can do this with the command :

                rpm --checksig package.rpm

You can get the GPG public key of the Mandriva Security Team to verify the GPG signature of each RPM.

If you use MandrivaUpdate, the verification of md5 checksum and GPG signature is performed automatically for you.