151252 – app-arch/lha: multiple vulnerabilities (CVE-2006-433[4-8])

Bug 151252 - app-arch/lha: multiple vulnerabilities (CVE-2006-433[4-8])

Summary: app-arch/lha: multiple vulnerabilities (CVE-2006-433[4-8])

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B2 [glsa] Falco
Keywords:

Depends on:	145511
Blocks:
	Show dependency tree

Reported:	2006-10-13 19:31 UTC by MATSUU Takuto (RETIRED)
Modified:	2006-11-28 12:32 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
app-arch/lha/lha-1.14i_p20050924.ebuild (lha-1.14i_p20050924.ebuild,811 bytes, text/plain) 2006-10-13 19:32 UTC, MATSUU Takuto (RETIRED)	no flags	Details
app-arch/lha/files/lha-1.14i_p20050924-CVE-2006-4334-8.patch (lha-1.14i_p20050924-CVE-2006-4334-8.patch,4.02 KB, patch) 2006-10-13 19:33 UTC, MATSUU Takuto (RETIRED)	no flags	Details \| Diff
app-arch/lha-1.14i_p20050924.ebuild (lha-1.14i_p20050924.ebuild,721 bytes, text/plain) 2006-10-16 09:03 UTC, MATSUU Takuto (RETIRED)	no flags	Details
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description MATSUU Takuto (RETIRED) gentoo-dev

2006-10-13 19:31:54 UTC

app-arch/lha has also CVE-2006-433[4-8] vulnerabilities.

http://www2.nsknet.or.jp/~micco/notes/gzipvul.htm (japanese)
http://tinyurl.com/yerkfj (translated)

patch for app-arch/lha is here.
http://lists.sourceforge.jp/mailman/archives/lha-users/2006-October/000411.html

Comment 1 MATSUU Takuto (RETIRED) gentoo-dev

2006-10-13 19:32:44 UTC

Created attachment 99626 [details]
app-arch/lha/lha-1.14i_p20050924.ebuild

Comment 2 MATSUU Takuto (RETIRED) gentoo-dev

2006-10-13 19:33:13 UTC

Created attachment 99627 [details, diff]
app-arch/lha/files/lha-1.14i_p20050924-CVE-2006-4334-8.patch

Comment 3 MATSUU Takuto (RETIRED) gentoo-dev

2006-10-16 09:03:28 UTC

Created attachment 99817 [details]
app-arch/lha-1.14i_p20050924.ebuild

Patched version was released by upstream.

Comment 4 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2006-10-16 09:45:05 UTC

lol it's dated october 17th :)

http://sourceforge.jp/projects/lha/

(japanese local time :

Comment 5 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2006-10-16 09:45:05 UTC

lol it's dated october 17th :)

http://sourceforge.jp/projects/lha/

(japanese local time :þ )

Usata, could you have a look please and bump this new version.

Comment 6 MATSUU Takuto (RETIRED) gentoo-dev

2006-10-16 15:55:19 UTC

ah, media-sound/timidity++ also has vulnerabilities.
Should I post a new bug?

Comment 7 MATSUU Takuto (RETIRED) gentoo-dev

2006-10-18 10:06:34 UTC

I had talked with usata and commit app-arch/lha-1.14i_p20050924.ebuild in his stead.

I had tried unsuccessfully to fix media-sound/timidity++.

Comment 8 Jakub Moc (RETIRED) gentoo-dev

2006-10-20 03:36:56 UTC

This versioning sucks a bit, triggers a false positive for an ancient GLSA:

app-arch/lha-1.14i_p20050924: vulnerable via glsa(200405-02) ( ver-rev <= 114i-r1 && ver-rev not >= 114i-r2 ), affects ('alpha', 'amd64', 'arm', 'hppa', 'ia64', 'm68k', 'ppc', 'ppc-macos', 'ppc64', 's390', 'sh', 'sparc', 'x86', 'x86-fbsd')
app-arch/lha-1.14i_p20050924: vulnerable via glsa(200409-13) ( ver-rev <= 114i-r3 && ver-rev not >= 114i-r4 ), affects ('alpha', 'amd64', 'arm', 'hppa', 'ia64', 'm68k', 'ppc', 'ppc-macos', 'ppc64', 's390', 'sh', 'sparc', 'x86', 'x86-fbsd')

Comment 9 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2006-10-20 06:10:52 UTC

> This versioning sucks a bit, triggers a false positive for an ancient GLSA:
> 

This new versioning is the right one (regarding upstream versioning), so i've just updated GLSA 200405-02 & GLSA 200409-13 (my changes can't hurt anything).
Concerning glsa-check, you can go on with lha-1.14i_p20050924, but "emerge" will continue to think that 114 is the newer, bad.

Comment 10 MATSUU Takuto (RETIRED) gentoo-dev

2006-10-20 08:47:54 UTC

should I rename it to lha-114i-r6?

Comment 11 MATSUU Takuto (RETIRED) gentoo-dev

2006-10-31 08:36:27 UTC

renamed.

Comment 12 MATSUU Takuto (RETIRED) gentoo-dev

2006-11-02 04:39:51 UTC

All archs: test and mark stable app-arch/lha-114i-r6

Comment 13 Ferris McCormick (RETIRED) gentoo-dev

2006-11-02 05:04:51 UTC

sparc stable --- builds and runs all tests.  Hard for me to test further because I can't read the documentation.

Comment 14 Chris Gianelloni (RETIRED) gentoo-dev

2006-11-02 06:35:54 UTC

x86 done... tested with games-fps/quake1-data... ;]

Comment 15 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2006-11-03 06:01:36 UTC

Thanks a lot Matsuu

Comment 16 Fabian Groffen gentoo-dev

2006-11-03 06:07:48 UTC

ppc-macos stable

Comment 17 Danny van Dyk (RETIRED) gentoo-dev

2006-11-03 15:44:32 UTC

amd64 done.

Comment 18 Tobias Scherbaum (RETIRED) gentoo-dev

2006-11-04 06:59:13 UTC

ppc stable

Comment 19 Jose Luis Rivero (yoswink) (RETIRED) gentoo-dev

2006-11-04 10:08:20 UTC

All tests passed.

Stable on alpha.

Comment 20 Bryan Østergaard (RETIRED) gentoo-dev

2006-11-04 12:01:33 UTC

Stable on ia64.

Comment 21 Brent Baude (RETIRED) gentoo-dev

2006-11-04 19:53:51 UTC

ppc64 stable, thanks

Comment 22 René Nussbaumer (RETIRED) gentoo-dev

2006-11-05 10:03:36 UTC

stable on hppa

Comment 23 MATSUU Takuto (RETIRED) gentoo-dev

2006-11-06 04:04:12 UTC

Removed old version.

Comment 24 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-11-20 23:32:13 UTC

Falco is a GLSA needed here?

Comment 25 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2006-11-24 13:51:50 UTC

(In reply to comment #23)
> Falco is a GLSA needed here?
> 

Some of the vulnerabilities concern an execution of code, of course a GLSA is needed (sorry for the delay :o  )

Comment 26 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2006-11-28 12:32:25 UTC

GLSA 200611-24