Versions of xchat prior to version 1.8.7 contain a vulnerability which allows an attacker to cause a vulnerable client to execute arbitrary IRC server commands as if the vulnerable user had typed them. This security erratum updates xchat to version 1.8.7, which is not vulnerable to this attack.
xchat is a popular IRC client. Recently xchat has been found to contain a bug in the CTCP PING handling code which can be exploited to execute IRC commands on the IRC server as the vulnerable user. This can be used for example by an attacker to /op or /deop, to /kick someone out of a channel, to force the vulnerable user out of the channel with a /part, to change channel modes via the /mode command, or to impersonate a user via private /msg commands. This bug does not appear to allow an attacker to execute commands on the vulnerable computer, just to force IRC server commands to be run as if the vulnerable user had typed them. All previous versions of xchat are vulnerable, however only the 1.4.* versions are vulnerable by default. With later versions (1.6.*, 1.8.*), xchat is not vulnerable unless the user has enabled the client side "percascii" variable with the command "/set percascii 1". This security erratum updates xchat to version 1.8.7, for Red Hat Linux 6.2, 7.0, 7.1, 7.2, which is not vulnerable to this attack. All xchat users should update to this release. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-0006 to this issue. Thanks to zen-parse for discovering and reporting this problem, and also to Marcus Meissner at Caldera for providing a working sample exploit with which to easily test for affected versions.