Pardus alert 2010-115 (kvirc)

From:
    	     
 
Eren Turkay <eren@pardus.org.tr> 
To:
    	     
 
pardus-security@pardus.org.tr 
Subject:
    	     
 
[Pardus-security] [PLSA 2010-115] Kvirc: Remote Code Execution 
Date:
    	     
 
Thu, 12 Aug 2010 23:05:46 +0300 (EEST)
Message-ID:
    	     
 
<20100812200546.35F1AA7AC45@lider.pardus.org.tr>
Archive-link:
    	     
 
Article, Thread
              
------------------------------------------------------------------------
Pardus Linux Security Advisory 2010-115           security@pardus.org.tr
------------------------------------------------------------------------
      Date: 2010-08-12
  Severity: 4
      Type: Remote
------------------------------------------------------------------------

Summary
=======

A vulnerability was fixed in kvirc, which  can  be  used  by  malicious 
people to execute arbitrary IRC commands via CTCP request. 


Description
===========

CVE-2010-2785: 

The IRC Protocol component in KVIrc 3.x and 4.x before r4693  does  not 
properly  handle \  (backslash)  characters,   which   allows   remote  
authenticated users to execute  arbitrary  CTCP  commands  via  vectors 
involving  \r and  \40  sequences,  a  different  vulnerability   than  
CVE-2010-2451 and CVE-2010-2452. 



Affected packages:

  Pardus 2009:
    kvirc, all before 4.0_rc3-13-9


Resolution
==========

There are update(s) for kvirc. You can update them via Package  Manager 
or with a single command from console: 

    pisi up kvirc

References
==========

  * http://bugs.pardus.org.tr/show_bug.cgi?id=13901

------------------------------------------------------------------------

_______________________________________________
Pardus-security mailing list
Pardus-security@pardus.org.tr
http://liste.pardus.org.tr/mailman/listinfo/pardus-security