Bug 152704

Summary: LHA directory traversal, buffer overflow vulns
Product: [Retired] Fedora Legacy Reporter: Barry K. Nathan <barryn>
Component: Package requestAssignee: Fedora Legacy Bugs <bugs>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: barryn, botsch
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
URL: https://rhn.redhat.com/errata/RHSA-2004-179.html
Whiteboard: LEGACY, rh73
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description David Lawrence 2005-03-30 23:24:37 UTC 
RHSA-2004-179 (linked from this bug) discusses this for Red Hat 9.
(CAN-2004-0234, CAN-2004-0235 by the way)

I would guess that this affects 7.2 through 8.0, but I don't know for sure. I'll
investigate this later if nobody else does first.



------- Additional Comments From jonny.strom 2004-05-01 07:45:32 ----

Uppdated packages for Redhat 7.3 based on the Redhat 9 patch are avalible at:

http://av8.netikka.fi/~johnny/fedora_legacy/rh73/

http://213.250.83.8/~johnny/fedora_legacy/rh73/lha-1.14i-4.7.3.1.legacy.i386.rpm
b1efb6dadb6197885667d60ae80bc6af

http://213.250.83.8/~johnny/fedora_legacy/rh73/lha-1.14i-4.7.3.1.legacy.src.rpm
da03428024f93e86c3ae5372231fc1f1

http://213.250.83.8/~johnny/fedora_legacy/rh73/lha-114i-sec.patch
9f883cd9bf7821e51045bfc39bb3d032

I did basic testing by uncompressing lha files and it worked as expected.



------- Additional Comments From dwb7.edu 2004-05-04 05:05:10 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Although I do not have any lha files with which to test, have rebuilt the SRPM
on 7.3. Rebuilt binary installed fine.

- -DWB
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFAl7EMSY7s7uPf/IURAoobAJ9VygzjtXZljB6wHsJAA1H1+WZ/XgCgr7Ei
ZcD2q31QHqLAlADdsSPv1os=
=ibg3
-----END PGP SIGNATURE-----




------- Additional Comments From dwb7.edu 2004-05-04 06:38:32 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

md5sum of the SRPM I rebuilt:

da03428024f93e86c3ae5372231fc1f1  lha-1.14i-4.7.3.1.legacy.src.rpm


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFAl8bzSY7s7uPf/IURAtIxAJwPYLBJgVy95r/vvGRxNT7dSbg8JQCgwMOI
Idh2u/5GZvN/Zn12xrrpu6E=
=4sgs
-----END PGP SIGNATURE-----




------- Additional Comments From dom 2004-05-11 06:28:50 ----

Am unable to QA this package, since:

--17:27:42-- 
http://213.250.83.8/%7Ejohnny/fedora_legacy/rh73/lha-1.14i-4.7.3.1.legacy.src.rpm
           => `lha-1.14i-4.7.3.1.legacy.src.rpm'
Connecting to 213.250.83.8:80... failed: No route to host.




------- Additional Comments From dom 2004-05-11 06:31:06 ----

Apologies - above issue is a local problem.



------- Additional Comments From jkeating 2004-05-18 18:52:36 ----

Looks like this only affects 7.3 and 8.0.  7.2 used a version before 1.14, all
reports state that it's 1.14 that is vuln.  I haven't done a source code audit
to confirm though, that would be nice if somebody can do this.  Looks like same
source was used from 7.3->9, so the patch should backport/forwardport cleanly to 8.0



------- Additional Comments From jkeating 2004-05-19 17:12:50 ----

8.0 packages built using the patch from comment #1

http://geek.j2solutions.net/rpms/legacy/lha/

5513fc275ce81c60b35f2bc0ec6c53dc10855cbc  8.0/lha-1.14i-7.8.0.legacy.i386.rpm
be1c1c99e7c0474e355855e54023e89fd37e9188  8.0/lha-1.14i-7.8.0.legacy.src.rpm
5429c9a8b94f71bbf1b954a47d5c2c9528ebce62  8.0/sha1sums

Please QA for entry into updates-testing.



------- Additional Comments From marcdeslauriers 2004-06-05 08:25:43 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tested rh7.3 package:

da03428024f93e86c3ae5372231fc1f1  lha-1.14i-4.7.3.1.legacy.src.rpm

- - md5sum match
- - spec file looks good
- - patch looks good
- - builds OK
- - installs OK

+PUBLISH

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAwg/RLMAs/0C4zNoRAnBvAKCPx6udxskYB2J1hQUCi43R6TUVcQCePtoT
B2l304al5IZOqGcm+f+b9hE=
=8U3C
-----END PGP SIGNATURE-----




------- Additional Comments From jkeating 2004-06-16 17:38:12 ----

Pushed to updates-testing:

  http://download.fedoralegacy.org/redhat/
 
be858cbed37c43d12f2e3c8943fd5aa21331a191 
7.3/updates-testing/SRPMS/lha-1.14i-4.7.3.1.legacy.src.rpm
1809b90634cc098bb86823375f7ff07a00ce0693 
7.3/updates-testing/i386/lha-1.14i-4.7.3.1.legacy.i386.rpm




------- Additional Comments From pedrocj 2004-06-17 11:54:38 ----

The rh80 package has been downloaded for QA. Thanks a lot for your help.



------- Additional Comments From marcdeslauriers 2004-07-06 12:33:33 ----

Newer packages fixing an additional vulnerability in bug 1833



------- Bug moved to this database by dkl 2005-03-30 18:24 -------

This bug previously known as bug 1547 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=1547
Originally filed under the Fedora Legacy product and Package request component.

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.