Secunia Advisory at http://secunia.com/advisories/12435/ RH advisory: An updated lha package fixes security vulnerability Advisory: RHSA-2004:323-09 Last updated on: 2004-09-01 [...] CVEs (cve.mitre.org): CAN-2004-0694 CAN-2004-0745 CAN-2004-0769 CAN-2004-0771 Details: An updated lha package that fixes a buffer overflow is now available. LHA is an archiving and compression utility for LHarc format archives. Lukasz Wojtow discovered a stack-based buffer overflow in all versions of lha up to and including version 1.14. A carefully created archive could allow an attacker to execute arbitrary code when a victim extracts or tests the archive. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0769 to this issue. Buffer overflows were discovered in the command line processing of all versions of lha up to and including version 1.14. If a malicious user could trick a victim into passing a specially crafted command line to the lha command, it is possible that arbitrary code could be executed. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2004-0771 and CAN-2004-0694 to these issues. Thomas Biege discovered a shell meta character command execution vulnerability in all versions of lha up to and including 1.14. An attacker could create a directory with shell meta characters in its name which could lead to arbitrary command execution. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0745 to this issue. Users of lha should update to this updated package which contains backported patches and is not vulnerable to these issues.
Forgot this section of the RH adv: References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0694 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0745 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0769 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0771 http://marc.theaimsgroup.com/?l=bugtraq&m=108668791510153 http://lw.ftw.zamosc.pl/lha-exploit.txt
ok... didn't notice it was an errata by RedHat and it seems to have been dealt with quite a while ago *** This bug has been marked as a duplicate of 51285 ***
It doesn't appear to be a total duplicate. There are new OSVDB entries and the CAN numbers look kinda new. And Red Hat is patching quite a bit more than the ebuild does at the moment, if I am not mistaken again.
Created attachment 38971 [details, diff] Red Hat patch 4 Attaching RH patches in reverse order, newest first.
Created attachment 38972 [details, diff] RH patch 3
Created attachment 38973 [details, diff] RH patch 2
Created attachment 38975 [details, diff] RH patch RH Patch1: lha-114i-sec.patch not attached, because it's identical to Gentoo's lha-114i.diff
usata, you fixed it last time, could you have a look ? We may have patched only part of the issues.
Yes, it looks another vulnerability. I added the patches to lha and released it as lha-114i-r4. Also I added =app-arch/lha-114i-r2 and =app-arch/lha-114i-r3 to p.mask.
Thanks usata, this is ready for yet another GLSA...
GLSA 200409-13