Bug 152748

Summary: CAN-2004-0694,0745,0769,0771 - Another buffer overflow in LHA
Product: [Retired] Fedora Legacy Reporter: Marc Deslauriers <marc.deslauriers>
Component: Package requestAssignee: Fedora Legacy Bugs <bugs>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: botsch, sheltren, s.j.thompson
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://marc.theaimsgroup.com/?l=bugtraq&m=108668791510153
Whiteboard: LEGACY, rh73, rh90
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description David Lawrence 2005-03-30 23:26:04 UTC 
Another buffer overflow exists in lha.

More info:
http://marc.theaimsgroup.com/?l=bugtraq&m=108668791510153
http://www.securityfocus.com/archive/1/363418
http://bugs.gentoo.org/show_bug.cgi?id=51285
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=126740



------- Additional Comments From jp107.ac.uk 2004-07-06 10:03:40 ----

RedHat seem to be proposing to use the following patch:

  https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=101416&action=view

which looks a reasonable extra test to my untrained eye.




------- Additional Comments From jp107.ac.uk 2004-07-06 10:20:29 ----

Builds for RH9 using that patch can be seen at:

http://www.damtp.cam.ac.uk/user/jp107/legacy/9/RPMS/i386/lha-1.14i-9.2.9.legacy.i386.rpm
http://www.damtp.cam.ac.uk/user/jp107/legacy/9/RPMS/i386/lha-debuginfo-1.14i-9.2.9.legacy.i386.rpm
http://www.damtp.cam.ac.uk/user/jp107/legacy/9/SRPMS/lha-1.14i-9.2.9.legacy.src.rpm

2f345830d2020c8eaec203c57bdb9e4fbe45c451 
RPMS/i386/lha-1.14i-9.2.9.legacy.i386.rpm
47eab3e2083cddd72fcc99e885a9108ec00ae3a7 
RPMS/i386/lha-debuginfo-1.14i-9.2.9.legacy.i386.rpm
56fc2cdaeada6ade1b69d15e3e0c529c83638f0e  SRPMS/lha-1.14i-9.2.9.legacy.src.rpm

The version numbering looks strange but RH9 happened to end with lha-1.14i-9.1

I'm sure that someone can tidy that up a lot.




------- Additional Comments From marcdeslauriers 2004-07-06 11:55:27 ----

Humm....the patch in redhat's bugzilla looks like it has nothing to do with the
problem reported in the original post and the gentoo discussion...we'll have to
investigate further...



------- Additional Comments From marcdeslauriers 2004-07-06 12:09:34 ----

OK, it actually is a better patch, as per:
http://seclists.org/lists/bugtraq/2004/Jun/0255.html




------- Additional Comments From marcdeslauriers 2004-07-06 12:32:21 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are packages for 7.3:

10a5b2ccf8fbd87172047d71b09dbae5787eb8e0  lha-1.14i-4.7.3.2.legacy.i386.rpm
21182d300c1f02fd0c51c776af3578b236362147  lha-1.14i-4.7.3.2.legacy.src.rpm

http://www.infostrategique.com/linuxrpms/legacy/7.3/lha-1.14i-4.7.3.2.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/7.3/lha-1.14i-4.7.3.2.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFA6yhjLMAs/0C4zNoRAjtzAKCbhPHUrn1u8jIs6OTbN6go6moYwACfSlVz
7wTESFd46zBaBQefPUWy2Lk=
=hMY7
-----END PGP SIGNATURE-----




------- Additional Comments From jp107.ac.uk 2004-07-28 06:27:05 ----

I also have packages for RH8 is anyone is interested (we now have that on our
RH8 machines, based on the RH9 srpm with just the version-number changed):

http://www.damtp.cam.ac.uk/user/jp107/legacy/8.0/

  SRPMS/lha-1.14i-9.2.80.JSP.src.rpm
  RPMS/i386/lha-1.14i-9.2.80.JSP.i386.rpm

13b41498794a250c422db4a61bd13fe6a1ddbb0e SRPMS/lha-1.14i-9.2.80.JSP.src.rpm
92f99df6faf5b000bee12bf7962316f288ca40a9 RPMS/i386/lha-1.14i-9.2.80.JSP.i386.rpm

I wish that this box didn't line-wrap so early.

Is anyone actually interested in getting an updated version released?




------- Additional Comments From dwb7.edu 2004-08-13 11:25:01 ----

Since I don't use lha, I can't really QA. But, the spec file looks ok,
srpmsbuilds, and the resulting rpm installs (on RH7.3)



------- Additional Comments From ckelley 2004-08-31 09:38:32 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
I use LHA with amavis; so I double-checked it all
 
- From the RPM:
- -rw-r--r--    1 root     root          556 Jul  6 16:23 lha-114i-sec2.patch
- -rw-r--r--    1 root     root         1809 May  1 11:19 lha-114i-sec.patch
- -rw-r--r--    1 root     root        64608 Aug 29  2001 lha-114i.tar.gz
1df0ee43e654de829bdfced733407e7ef5644c22  lha-114i-sec.patch
c3c3425ada06cb3c2adedc252ae1b2c3fd513705  lha-114i-sec2.patch
79e35271f2cf783f946db3f22e304fef72dbac99  lha-114i.tar.gz
 
- From http://www2m.biglobe.ne.jp/~dolphin/lha/prog/lha-114i.tar.gz:
- -rw-r--r--    1 root     root        64608 Dec 15  2000 lha-114i.tar.gz
79e35271f2cf783f946db3f22e304fef72dbac99  lha-114i.tar.gz
 
Signatures check out good, as does the sec2.patch;  spec file looks
good.  It builds and installs just fine.  It unpacks a test lha archive
as well.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
 
iD8DBQFBNNOgyQ+yTHz+jJkRAr9jAKC+x1vNSkoRv9J61tl/qqv2rD3jjACfeNoc
qntq1qnUPdBLWSxLI+F5ZYk=
=/mF4
-----END PGP SIGNATURE-----



------- Additional Comments From ckelley 2004-08-31 11:11:26 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
This looks good to PUBLISH
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
 
iD8DBQFBNOlsyQ+yTHz+jJkRAjtBAJ95P2jLRp8jQ3bDwv06t/iYo86MGgCeJdLC
XA/1aTpRE9HluxjC5Acrm5A=
=xSKI
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers 2004-09-01 15:43:47 ----

Can someone make sure we got all the patches from this:

https://rhn.redhat.com/errata/RHSA-2004-323.html

in our LHA...





------- Additional Comments From jp107.ac.uk 2004-09-02 01:57:56 ----

The RHEL srpm contains 2 patches which we don't yet have, one just adds a
#include <malloc.h> but the last one (rhel3-lha.patch) contains code to (based
on a quick read):

  add a missing */ to cloe a comment (lha_macro.h)

  use strncpy not strcpy and add extra size checks (several places in lharc.c
  lhlist.c)

  use snprintf not sprintf to avoid a buffer overflow (several places in
  lharc.c)

  avoid system() in util.c (fork and exec by hand to avoid shell metacharacter
  errors).

These need to be added.  I'd guess that simply rebuilding from the RH srpm will
do fine (modulo changing the version number).

I no longer have any RH9 machines to hand to build rpms on.  I can provide RH8
rpms if anyone were interested (but the RHEL srpm will probably be the best
place to start!)



------- Additional Comments From michal 2004-09-07 10:00:05 ----

I can confirm that src.rpm from an advisory referenced in comment #10 simply
rebuilds on RH 7.x installations (and does include all patches used in
making lha-1.14i-4.7.3.2.legacy.src.rpm).



------- Additional Comments From marcdeslauriers 2004-09-08 10:55:47 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are updated lha packages to QA for 7.3 and 9.

They fix the following:
CAN-2004-0234, CAN-2004-0235
CAN-2004-0694, CAN-2004-0745, CAN-2004-0769, CAN-2004-0771

Changelog:
* Wed Sep 08 2004 Marc Deslauriers <marcdeslauriers> 1.14i-9.3.legacy
- - Rebuilt as Fedora Legacy security update
 
* Tue Aug 03 2004 Than Ngo <than> 1.14i-10.4
- - another LHA buffer overflow

7.3:
38cba8051de6f6f028e107d534caa9da6278c18e  lha-1.14i-4.7.3.3.legacy.i386.rpm
313066fd102d1a05e073eb57dcf366651633cf12  lha-1.14i-4.7.3.3.legacy.src.rpm

9:
42fd4dfd63699684d02b03cb2776f568c0ff2502  lha-1.14i-9.3.legacy.i386.rpm
b0136a8d6e973f10ecbae595f5eb68ff08e95705  lha-1.14i-9.3.legacy.src.rpm

http://www.infostrategique.com/linuxrpms/legacy/7.3/lha-1.14i-4.7.3.3.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/7.3/lha-1.14i-4.7.3.3.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/lha-1.14i-9.3.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/lha-1.14i-9.3.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBP3G6LMAs/0C4zNoRAsINAJ4hOb9PHUUB7hyzM0UeoMVPYR5ebQCeKs47
dIByA8H74tgFHuKYXzB1HmE=
=a2UK
-----END PGP SIGNATURE-----




------- Additional Comments From ckelley 2004-09-08 11:24:17 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
38cba8051de6f6f028e107d534caa9da6278c18e lha-1.14i-4.7.3.3.legacy.i386.rpm
313066fd102d1a05e073eb57dcf366651633cf12 lha-1.14i-4.7.3.3.legacy.src.rpm
 
package builds just fine, it applies these patches:
 
Patch: lha-114i-symlink.patch
Patch1: lha-114i-sec.patch
Patch2: lha-114i-malloc.patch
Patch3: lha-dir_length_bounds_check.patch
Patch4: rhel3-lha.patch
 
The resulting binaries can pack/unpack LHA archives just fine with the
test ones that I have.
 
PUBLISH
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
 
iD8DBQFBP3gRyQ+yTHz+jJkRAk9/AKCRCCLP0dGc+9/jgFSAzJoVwiJgxwCgiKun
rteZsYVoFQ851SL556Bb8l0=
=aykp
-----END PGP SIGNATURE-----




------- Additional Comments From simon 2004-09-08 11:55:59 ----

-----BEGIN PGP SIGNED MESSAGE----- 
Hash: SHA1 
 
 
38cba8051de6f6f028e107d534caa9da6278c18e lha-1.14i-4.7.3.3.legacy.i386.rpm 
313066fd102d1a05e073eb57dcf366651633cf12 lha-1.14i-4.7.3.3.legacy.src.rpm 
 
Spec looks correct, all patches referenced correctly and all current security 
issues seem to be covered. 
Source archives checksum ok 
Source RPM builds,installs, compresses and decompresses files as required. 
 
PUBLISH 
 
- - Si 
-----BEGIN PGP SIGNATURE----- 
Version: GnuPG v1.2.4 (GNU/Linux) 
 
iD8DBQFBP39XMLOCzgCQslsRAiIKAJsH5Zi5CiOl7WDi38CTFexo0mSIJQCfQ57t 
hkhNxvaVnEkLE9FY8Y801xE= 
=vyYE 
-----END PGP SIGNATURE----- 



------- Additional Comments From mule 2004-09-10 05:48:58 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
42fd4dfd63699684d02b03cb2776f568c0ff2502  lha-1.14i-9.3.legacy.i386.rpm
b0136a8d6e973f10ecbae595f5eb68ff08e95705  lha-1.14i-9.3.legacy.src.rpm
 
For Red Hat 9:
* builds from source
* installs
 
PUBLISH
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
 
iD8DBQFBQczUTsaUa9pp4VIRAsHNAKDmo29J1dSehIskCbLdXViEZQi7zACg4+Nk
qsa3sp1rZqb8QFFywT+1GEE=
=CStT
-----END PGP SIGNATURE-----




------- Additional Comments From dom 2004-09-14 14:00:49 ----

Draft advisory:
http://www-astro.physics.ox.ac.uk/~dom/legacy/advisories/1833-lha-draft.txt



------- Additional Comments From marcdeslauriers 2004-09-29 15:07:15 ----

pushed to updates-testing



------- Additional Comments From S.J.Thompson.ac.uk 2004-09-30 04:36:35 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
Testing on RedHat 9
 
SRPM
ba93abb5201ef503bb866403dae811eb5caa3a86  lha-1.14i-9.3.legacy.src.rpm
 
RPM
344f153d52712fbcba78e79b28fe46012d826a74  lha-1.14i-9.3.legacy.i386.rpm
 
Running 'rpm -checksig -v' on both files indicates packages are correctly signed.
 
SRPM builds ok.
 
RPM installs fine.
 
The following operations have been tested and work correctly:
  * listing files
  * extracting an entire archive
  * extracting a specific file from an archive
  * removing a specific file from an archive  * adding a file to an archive
  * creating a new archive
                                                                                
+VERIFY
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
                                                                                
iD8DBQFBXBmj6PpxfDLZ0SgRAntAAJ9taffC1PcGkR2el1zV8a1QJ0nw4wCfV6/x
BuftDNmx+5qldXDRypusw+A=
=tYAH
-----END PGP SIGNATURE-----




------- Additional Comments From sheltren.edu 2004-10-07 06:04:41 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Verifying RH9 package:

4458d9eec9f7706070f67e0263aab497bced075a  lha-1.14i-9.4.legacy.i386.rpm

Package signature is good 
Installs OK
Tested a few compresses and extracts - looks good

VERIFY++
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)

iD8DBQFBZWj4Ke7MLJjUbNMRAlAQAKDL7FQBXfCIoupu1hffRyVB9//9DACeOdDJ
tPDqDXEkc0U/L3BDGFPWUc8=
=6peY
-----END PGP SIGNATURE-----



------- Additional Comments From mgerber 2004-10-12 07:26:23 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Testing for RHL73.

421a0998d84a2b75ebaa0bb334273ce1dad2be88  lha-1.14i-4.7.3.3.legacy.i386.rpm
aa6033fd436ea908b38b2035f096223f92ed780d  lha-1.14i-4.7.3.3.legacy.src.rpm

- - RPM sigs are ok.

lha-1.14i-4.7.3.3.legacy.i386.rpm: md5 gpg OK
lha-1.14i-4.7.3.3.legacy.src.rpm: md5 gpg OK

- - Binary RPM installs and works fine.

++VERIFY
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBbBL2vsz686DVvkARAs+DAKCmmbv9pUJKzedhQYfLM/ESTZuNFgCgtlrr
LfFJXlG6Clu6ZXzRVTZP3Lk=
=0m4S
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers 2004-10-13 12:51:37 ----

pushed to updates



------- Bug moved to this database by dkl 2005-03-30 18:26 -------

This bug previously known as bug 1833 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=1833
Originally filed under the Fedora Legacy product and Package request component.

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.