licq contains a flaw that allows a malicious user to execute arbitrary commands on the local machine. This flaw is do to insufficient checking of shell metacharaters in the system() call which can lead to a loss of confidentiality.
Upgrade to version 1.0.3 or higher, as it has been reported to fix this vulnerability. Currently, there are no known workarounds to correct this issue. However, stan Bubrouski has released a patch to address this vulnerability.
From Stan Bubrouski <firstname.lastname@example.org>:
diff -ur licq.1/src/log.cpp licq/src/log.cpp
--- licq.1/src/log.cpp Mon Jun 5 20:50:03 2000
+++ licq/src/log.cpp Sun Feb 25 15:14:16 2001
@@ -202,7 +202,8 @@
if (m_xLogWindow == NULL) return;
unsigned n = sprintf(szMsgMax, "%s", _szPrefix);
- vsprintf(&szMsgMax[n], _szFormat, argp);
+ vsnprintf(&szMsgMax[n], (MAX_MSG_SIZE - n - 1), _szFormat, argp);
+ szMsgMax[MAX_MSG_SIZE - 1] = '\0';