Re: MDKSA-2000:039 - xchat update (xchat-1.4.2-nourltoshell.patch)

[Anthony Fok <foka () DEBIAN ORG>]

On Sat, Aug 26, 2000 at 03:33:58AM -0400, Decklin Foster wrote:
> Joey Hess writes:
> > Actually it is. The "netscape (existing)" and "netscape (new window)"
> > menu entries are safe,
> Actually they're vulnerable too.
>
> http://drugs.org/just/say/'`yes`'
>
> The rule just puts openURL(%s) in single quotes, which can easily be
> broken out of as in the above pseudo-URL.
>
> I'm arguing for the use of execvp instead on the xchat mailing list,
> we'll see how this goes. It's 3:30 AM and I won't be able to write any
> code for it until tomorrow.

Hehe, a friend and Debian developer-to-be "Saka" YU Guanghui pointed
out an article on http://lwn.net/daily/.  It turns out that Conectiva
has already put out a patch for it, and it uses execvp instead of
gnome-lib.  :-)  Here is the link:

        http://lwn.net/daily/con-xchat.php3

And I have attach the patch in this message.  Hope this helps!  :-)

Anthony

P.S.  Conectiva's web site is at http://www.conectiva.com.br/.
      They have some other patches too, one of which I didn't quite
      understand (because I don't know GNOME).  :-)  It does include
      the up-to-date potfiles translations for es_ES and pt_BR,
      so if anyone is interested, include them.  :-)
      All in all, I am quite impressed by Conectiva's package.

--
Anthony Fok Tung-Ling                Civil and Environmental Engineering
foka () ualberta ca, foka () debian org    University of Alberta, Canada
Debian Chinese Project -- http://www.debian.org/international/chinese/
Come visit Our Lady of Victory Camp -- http://www.olvc.ab.ca/

Attachment: xchat-1.4.2-nourltoshell.patch
Description: