Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 62618 - app-arch/lha: multiple vulnerabilities
Summary: app-arch/lha: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High normal
Assignee: Gentoo Security
URL: http://rhn.redhat.com/errata/RHSA-200...
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2004-09-02 06:06 UTC by Matthias Geerdsen (RETIRED)
Modified: 2011-10-30 22:38 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
Red Hat patch 4 (rhel3-lha.patch,6.29 KB, patch)
2004-09-05 05:07 UTC, Matthias Geerdsen (RETIRED)
no flags Details | Diff
RH patch 3 (lha-dir_length_bounds_check.patch,556 bytes, patch)
2004-09-05 05:07 UTC, Matthias Geerdsen (RETIRED)
no flags Details | Diff
RH patch 2 (lha-114i-malloc.patch,257 bytes, patch)
2004-09-05 05:09 UTC, Matthias Geerdsen (RETIRED)
no flags Details | Diff
RH patch (lha-114i-symlink.patch,308 bytes, patch)
2004-09-05 05:12 UTC, Matthias Geerdsen (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Geerdsen (RETIRED) gentoo-dev 2004-09-02 06:06:14 UTC
Secunia Advisory at http://secunia.com/advisories/12435/

RH advisory:
  	

An updated lha package fixes security vulnerability
Advisory: 	RHSA-2004:323-09
Last updated on: 	2004-09-01
[...]

CVEs (cve.mitre.org):
CAN-2004-0694
CAN-2004-0745
CAN-2004-0769
CAN-2004-0771

Details:

An updated lha package that fixes a buffer overflow is now available.

LHA is an archiving and compression utility for LHarc format archives.

Lukasz Wojtow discovered a stack-based buffer overflow in all versions
of lha up to and including version 1.14. A carefully created archive could
allow an attacker to execute arbitrary code when a victim extracts or tests
the archive. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2004-0769 to this issue.

Buffer overflows were discovered in the command line processing of all
versions of lha up to and including version 1.14. If a malicious user
could trick a victim into passing a specially crafted command line to the
lha command, it is possible that arbitrary code could be executed. The
Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned
the names CAN-2004-0771 and CAN-2004-0694 to these issues.

Thomas Biege discovered a shell meta character command execution
vulnerability in all versions of lha up to and including 1.14. An attacker
could create a directory with shell meta characters in its name which could
lead to arbitrary command execution. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CAN-2004-0745 to
this issue.

Users of lha should update to this updated package which contains
backported patches and is not vulnerable to these issues.
Comment 2 Matthias Geerdsen (RETIRED) gentoo-dev 2004-09-02 06:39:31 UTC
ok... didn't notice it was an errata by RedHat and it seems to have been dealt with quite a while ago

*** This bug has been marked as a duplicate of 51285 ***
Comment 3 Matthias Geerdsen (RETIRED) gentoo-dev 2004-09-05 05:03:29 UTC
It doesn't appear to be a total duplicate. There are new OSVDB entries and the CAN numbers look kinda new. And Red Hat is patching quite a bit more than the ebuild does at the moment, if I am not mistaken again.
Comment 4 Matthias Geerdsen (RETIRED) gentoo-dev 2004-09-05 05:07:07 UTC
Created attachment 38971 [details, diff]
Red Hat patch 4

Attaching RH patches in reverse order, newest first.
Comment 5 Matthias Geerdsen (RETIRED) gentoo-dev 2004-09-05 05:07:58 UTC
Created attachment 38972 [details, diff]
RH patch 3
Comment 6 Matthias Geerdsen (RETIRED) gentoo-dev 2004-09-05 05:09:08 UTC
Created attachment 38973 [details, diff]
RH patch 2
Comment 7 Matthias Geerdsen (RETIRED) gentoo-dev 2004-09-05 05:12:11 UTC
Created attachment 38975 [details, diff]
RH patch

RH Patch1: lha-114i-sec.patch
not attached, because it's identical to Gentoo's lha-114i.diff
Comment 8 Thierry Carrez (RETIRED) gentoo-dev 2004-09-05 08:37:03 UTC
usata, you fixed it last time, could you have a look ?
We may have patched only part of the issues.
Comment 9 Mamoru KOMACHI (RETIRED) gentoo-dev 2004-09-07 06:23:50 UTC
Yes, it looks another vulnerability. I added the patches to lha and released it as lha-114i-r4.
Also I added =app-arch/lha-114i-r2 and =app-arch/lha-114i-r3 to p.mask.
Comment 10 Thierry Carrez (RETIRED) gentoo-dev 2004-09-07 08:50:37 UTC
Thanks usata, this is ready for yet another GLSA...
Comment 11 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-09-08 13:37:03 UTC
GLSA 200409-13