Gentoo Full Text Bug Listing

Bug 62618 - app-arch/lha: multiple vulnerabilities

Description:

Opened: 2004-09-02 06:06 0000

Secunia Advisory at http://secunia.com/advisories/12435/

RH advisory:
  	

An updated lha package fixes security vulnerability
Advisory: 	RHSA-2004:323-09
Last updated on: 	2004-09-01
[...]

CVEs (cve.mitre.org):
CAN-2004-0694
CAN-2004-0745
CAN-2004-0769
CAN-2004-0771

Details:

An updated lha package that fixes a buffer overflow is now available.

LHA is an archiving and compression utility for LHarc format archives.

Lukasz Wojtow discovered a stack-based buffer overflow in all versions
of lha up to and including version 1.14. A carefully created archive could
allow an attacker to execute arbitrary code when a victim extracts or tests
the archive. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2004-0769 to this issue.

Buffer overflows were discovered in the command line processing of all
versions of lha up to and including version 1.14. If a malicious user
could trick a victim into passing a specially crafted command line to the
lha command, it is possible that arbitrary code could be executed. The
Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned
the names CAN-2004-0771 and CAN-2004-0694 to these issues.

Thomas Biege discovered a shell meta character command execution
vulnerability in all versions of lha up to and including 1.14. An attacker
could create a directory with shell meta characters in its name which could
lead to arbitrary command execution. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CAN-2004-0745 to
this issue.

Users of lha should update to this updated package which contains
backported patches and is not vulnerable to these issues.

------- Comment #2 From Matthias Geerdsen 2004-09-02 06:39:31 0000 -------

ok... didn't notice it was an errata by RedHat and it seems to have been dealt
with quite a while ago

*** This bug has been marked as a duplicate of 51285 ***

------- Comment #3 From Matthias Geerdsen 2004-09-05 05:03:29 0000 -------

It doesn't appear to be a total duplicate. There are new OSVDB entries and the
CAN numbers look kinda new. And Red Hat is patching quite a bit more than the
ebuild does at the moment, if I am not mistaken again.

------- Comment #4 From Matthias Geerdsen 2004-09-05 05:07:07 0000 -------

Created an attachment (id=38971) [details]
Red Hat patch 4

Attaching RH patches in reverse order, newest first.

------- Comment #5 From Matthias Geerdsen 2004-09-05 05:07:58 0000 -------

Created an attachment (id=38972) [details]
RH patch 3

------- Comment #6 From Matthias Geerdsen 2004-09-05 05:09:08 0000 -------

Created an attachment (id=38973) [details]
RH patch 2

------- Comment #7 From Matthias Geerdsen 2004-09-05 05:12:11 0000 -------

Created an attachment (id=38975) [details]
RH patch

RH Patch1: lha-114i-sec.patch
not attached, because it's identical to Gentoo's lha-114i.diff

------- Comment #8 From Thierry Carrez (RETIRED) 2004-09-05 08:37:03 0000 -------

usata, you fixed it last time, could you have a look ?
We may have patched only part of the issues.

------- Comment #9 From Mamoru KOMACHI (RETIRED) 2004-09-07 06:23:50 0000 -------

Yes, it looks another vulnerability. I added the patches to lha and released it
as lha-114i-r4.
Also I added =app-arch/lha-114i-r2 and =app-arch/lha-114i-r3 to p.mask.

------- Comment #10 From Thierry Carrez (RETIRED) 2004-09-07 08:50:37 0000 -------

Thanks usata, this is ready for yet another GLSA...

------- Comment #11 From Sune Kloppenborg Jeppesen 2004-09-08 13:37:03 0000 -------

GLSA 200409-13

Bug#: 62618	Product: Gentoo Linux	Version: unspecified	Platform: All
OS/Version: All	Status: RESOLVED	Severity: normal	Priority: P2
Resolution: FIXED	Assigned To: security@gentoo.org	Reported By: vorlon@gentoo.org
Component: Security
URL: http://rhn.redhat.com/errata/RHSA-2004-323.html
Summary: app-arch/lha: multiple vulnerabilities
Keywords:
Status Whiteboard: B2 [glsa]
Opened: 2004-09-02 06:06 0000