Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 282891

Summary: =net-irc/kvirc-3* irc:// URI arbitrary commande execution (CVE-2008-7070)
Product: Gentoo Security Reporter: Alex Legler (RETIRED) <a3li>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: arfrever, bugs, net-irc
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: ~2 [noglsa]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 245543, 248508, 258791, 275733    

Description Alex Legler (RETIRED) archtester gentoo-dev Security 2009-08-27 12:21:37 UTC 
CVE-2008-7070 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-7070):
  Argument injection vulnerability in the URI handler in KVIrc 3.4.2
  Shiny allows remote attackers to execute arbitrary commands via a "
  (quote) followed by command line switches in a (1) irc:///, (2)
  irc6:///, (3) ircs:///, or (4) and ircs6:/// URI.  NOTE: this might
  be due to an incomplete fix for CVE-2007-2951.
Comment 1 Samuli Suominen (RETIRED) gentoo-dev 2009-11-14 09:53:35 UTC 
Security: =kvirc-3* isn't in tree anymore, so just close this bug?
Comment 2 Agostino Sarubbo gentoo-dev 2011-09-11 16:07:06 UTC 
I've checked manually the source and seems fixed in our actual stable.

Closing as noglsa