app-arch/lha has also CVE-2006-433[4-8] vulnerabilities. http://www2.nsknet.or.jp/~micco/notes/gzipvul.htm (japanese) http://tinyurl.com/yerkfj (translated) patch for app-arch/lha is here. http://lists.sourceforge.jp/mailman/archives/lha-users/2006-October/000411.html
Created attachment 99626 [details] app-arch/lha/lha-1.14i_p20050924.ebuild
Created attachment 99627 [details, diff] app-arch/lha/files/lha-1.14i_p20050924-CVE-2006-4334-8.patch
Created attachment 99817 [details] app-arch/lha-1.14i_p20050924.ebuild Patched version was released by upstream.
lol it's dated october 17th :) http://sourceforge.jp/projects/lha/ (japanese local time :
lol it's dated october 17th :) http://sourceforge.jp/projects/lha/ (japanese local time :þ ) Usata, could you have a look please and bump this new version.
ah, media-sound/timidity++ also has vulnerabilities. Should I post a new bug?
I had talked with usata and commit app-arch/lha-1.14i_p20050924.ebuild in his stead. I had tried unsuccessfully to fix media-sound/timidity++.
This versioning sucks a bit, triggers a false positive for an ancient GLSA: app-arch/lha-1.14i_p20050924: vulnerable via glsa(200405-02) ( ver-rev <= 114i-r1 && ver-rev not >= 114i-r2 ), affects ('alpha', 'amd64', 'arm', 'hppa', 'ia64', 'm68k', 'ppc', 'ppc-macos', 'ppc64', 's390', 'sh', 'sparc', 'x86', 'x86-fbsd') app-arch/lha-1.14i_p20050924: vulnerable via glsa(200409-13) ( ver-rev <= 114i-r3 && ver-rev not >= 114i-r4 ), affects ('alpha', 'amd64', 'arm', 'hppa', 'ia64', 'm68k', 'ppc', 'ppc-macos', 'ppc64', 's390', 'sh', 'sparc', 'x86', 'x86-fbsd')
> This versioning sucks a bit, triggers a false positive for an ancient GLSA: > This new versioning is the right one (regarding upstream versioning), so i've just updated GLSA 200405-02 & GLSA 200409-13 (my changes can't hurt anything). Concerning glsa-check, you can go on with lha-1.14i_p20050924, but "emerge" will continue to think that 114 is the newer, bad.
should I rename it to lha-114i-r6?
renamed.
All archs: test and mark stable app-arch/lha-114i-r6
sparc stable --- builds and runs all tests. Hard for me to test further because I can't read the documentation.
x86 done... tested with games-fps/quake1-data... ;]
Thanks a lot Matsuu
ppc-macos stable
amd64 done.
ppc stable
All tests passed. Stable on alpha.
Stable on ia64.
ppc64 stable, thanks
stable on hppa
Removed old version.
Falco is a GLSA needed here?
(In reply to comment #23) > Falco is a GLSA needed here? > Some of the vulnerabilities concern an execution of code, of course a GLSA is needed (sorry for the delay :o )
GLSA 200611-24