Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 151252
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: MATSUU Takuto <matsuu@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
lha-1.14i_p20050924.ebuild app-arch/lha/lha-1.14i_p20050924.ebuild text/plain MATSUU Takuto 2006-10-13 19:32 0000 811 bytes Details
lha-1.14i_p20050924-CVE-2006-4334-8.patch app-arch/lha/files/lha-1.14i_p20050924-CVE-2006-4334-8.patch patch MATSUU Takuto 2006-10-13 19:33 0000 4.02 KB Details | Diff
lha-1.14i_p20050924.ebuild app-arch/lha-1.14i_p20050924.ebuild text/plain MATSUU Takuto 2006-10-16 09:03 0000 721 bytes Details
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 151252 depends on: 145511 Show dependency tree
Bug 151252 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2006-10-13 19:31 0000 
app-arch/lha has also CVE-2006-433[4-8] vulnerabilities.

http://www2.nsknet.or.jp/~micco/notes/gzipvul.htm (japanese)
http://tinyurl.com/yerkfj (translated)

patch for app-arch/lha is here.
http://lists.sourceforge.jp/mailman/archives/lha-users/2006-October/000411.html

------- Comment #1 From MATSUU Takuto 2006-10-13 19:32:44 0000 ------- 
Created an attachment (id=99626) [details]
app-arch/lha/lha-1.14i_p20050924.ebuild

------- Comment #2 From MATSUU Takuto 2006-10-13 19:33:13 0000 ------- 
Created an attachment (id=99627) [details]
app-arch/lha/files/lha-1.14i_p20050924-CVE-2006-4334-8.patch

------- Comment #3 From MATSUU Takuto 2006-10-16 09:03:28 0000 ------- 
Created an attachment (id=99817) [details]
app-arch/lha-1.14i_p20050924.ebuild

Patched version was released by upstream.

------- Comment #4 From Raphael Marichez 2006-10-16 09:45:05 0000 ------- 
lol it's dated october 17th :)

http://sourceforge.jp/projects/lha/

(japanese local time :

------- Comment #5 From Raphael Marichez 2006-10-16 09:45:05 0000 ------- 
lol it's dated october 17th :)

http://sourceforge.jp/projects/lha/

(japanese local time :þ )

Usata, could you have a look please and bump this new version.

------- Comment #6 From MATSUU Takuto 2006-10-16 15:55:19 0000 ------- 
ah, media-sound/timidity++ also has vulnerabilities.
Should I post a new bug?

------- Comment #7 From MATSUU Takuto 2006-10-18 10:06:34 0000 ------- 
I had talked with usata and commit app-arch/lha-1.14i_p20050924.ebuild in his
stead.

I had tried unsuccessfully to fix media-sound/timidity++.

------- Comment #8 From Jakub Moc (RETIRED) 2006-10-20 03:36:56 0000 ------- 
This versioning sucks a bit, triggers a false positive for an ancient GLSA:

app-arch/lha-1.14i_p20050924: vulnerable via glsa(200405-02) ( ver-rev <=
114i-r1 && ver-rev not >= 114i-r2 ), affects ('alpha', 'amd64', 'arm', 'hppa',
'ia64', 'm68k', 'ppc', 'ppc-macos', 'ppc64', 's390', 'sh', 'sparc', 'x86',
'x86-fbsd')
app-arch/lha-1.14i_p20050924: vulnerable via glsa(200409-13) ( ver-rev <=
114i-r3 && ver-rev not >= 114i-r4 ), affects ('alpha', 'amd64', 'arm', 'hppa',
'ia64', 'm68k', 'ppc', 'ppc-macos', 'ppc64', 's390', 'sh', 'sparc', 'x86',
'x86-fbsd')

------- Comment #9 From Raphael Marichez 2006-10-20 06:10:52 0000 ------- 
> This versioning sucks a bit, triggers a false positive for an ancient GLSA:
> 

This new versioning is the right one (regarding upstream versioning), so i've
just updated GLSA 200405-02 & GLSA 200409-13 (my changes can't hurt anything).
Concerning glsa-check, you can go on with lha-1.14i_p20050924, but "emerge"
will continue to think that 114 is the newer, bad.

------- Comment #10 From MATSUU Takuto 2006-10-20 08:47:54 0000 ------- 
should I rename it to lha-114i-r6?

------- Comment #11 From MATSUU Takuto 2006-10-31 08:36:27 0000 ------- 
renamed.

------- Comment #12 From MATSUU Takuto 2006-11-02 04:39:51 0000 ------- 
All archs: test and mark stable app-arch/lha-114i-r6

------- Comment #13 From Ferris McCormick 2006-11-02 05:04:51 0000 ------- 
sparc stable --- builds and runs all tests.  Hard for me to test further
because I can't read the documentation.

------- Comment #14 From Chris Gianelloni (RETIRED) 2006-11-02 06:35:54 0000 ------- 
x86 done... tested with games-fps/quake1-data... ;]

------- Comment #15 From Raphael Marichez 2006-11-03 06:01:36 0000 ------- 
Thanks a lot Matsuu

------- Comment #16 From Fabian Groffen 2006-11-03 06:07:48 0000 ------- 
ppc-macos stable

------- Comment #17 From Danny van Dyk (RETIRED) 2006-11-03 15:44:32 0000 ------- 
amd64 done.

------- Comment #18 From Tobias Scherbaum 2006-11-04 06:59:13 0000 ------- 
ppc stable

------- Comment #19 From Jose Luis Rivero (yoswink) 2006-11-04 10:08:20 0000 ------- 
All tests passed.

Stable on alpha.

------- Comment #20 From Bryan Østergaard (RETIRED) 2006-11-04 12:01:33 0000 ------- 
Stable on ia64.

------- Comment #21 From Brent Baude 2006-11-04 19:53:51 0000 ------- 
ppc64 stable, thanks

------- Comment #22 From René Nussbaumer 2006-11-05 10:03:36 0000 ------- 
stable on hppa

------- Comment #23 From MATSUU Takuto 2006-11-06 04:04:12 0000 ------- 
Removed old version.

------- Comment #24 From Sune Kloppenborg Jeppesen 2006-11-20 23:32:13 0000 ------- 
Falco is a GLSA needed here?

------- Comment #25 From Raphael Marichez 2006-11-24 13:51:50 0000 ------- 
(In reply to comment #23)
> Falco is a GLSA needed here?
> 

Some of the vulnerabilities concern an execution of code, of course a GLSA is
needed (sorry for the delay :o  )

------- Comment #26 From Raphael Marichez 2006-11-28 12:32:25 0000 ------- 
GLSA 200611-24
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug