Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 181210

Summary: app-arch/lha Temp file issue (CVE-2007-2030)
Product: Gentoo Security Reporter: Sune Kloppenborg Jeppesen (RETIRED) <jaervosz>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED INVALID    
Severity: normal CC: matsuu, usata
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2030
Whiteboard:
Package list:
Runtime testing required: ---

Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-06-07 17:02:45 UTC
lharc.c in lha does not securely create temporary files, which might allow local users to read or write files by creating a file before LHA is invoked.
Comment 1 MATSUU Takuto (RETIRED) gentoo-dev 2007-06-09 23:30:40 UTC
the vuln has no affected gentoo.

app-arch/lha doesn't have the issue because it uses lha-autoconf version and it has no the vuln reported by upstream.
http://lists.sourceforge.jp/mailman/archives/lha-users/2007-April/000428.html
http://lists.sourceforge.jp/mailman/archives/lha-users/2007-April/000431.html
Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-06-10 07:51:00 UTC
Matsuu thanks for the analysis.