X-Chat 1.4.2 and previous for all supported distributions.
A vulnerability in the X-Chat IRC client allows a malicious URL to
possibly execute arbitrary shell commands as the user running
X-Chat has a feature that allows a user to right-click on a URL in
an IRC window and open it in a browser. X-Chat passes the URL to
/bin/sh when executing the browser command. A malicious URL could
be created to run arbitrary commands or scripts on the system if a
user opens the URL.
A new version of X-Chat has been released by the maintainers which
eliminates this vulnerability.
An essential update is available immediately from Helix Code, Inc.
via the Helix GNOME Updater and from the following URLs:
Some of the products that appear on this site are from companies from which QuinStreet receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. QuinStreet does not include all companies or all types of products available in the marketplace.