Bug 220595 (CVE-2006-4335, CVE-2006-4336, CVE-2006-4337)

Summary: CVE-2006-4335 CVE-2006-4336 CVE-2006-4337 multiple vulnerabilities in lha
Product: [Other] Security Response Reporter: Red Hat Product Security <security-response-team>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: bressers, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://sourceforge.jp/projects/lha/document/lha_1.14i-ac20050924p1_-_Changes/
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-08-02 18:19:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Backported patch for releases after RHEL 2.1
none
Backported patch for RHEL 2.1 release none

Description Lubomir Kundrak 2006-12-22 12:40:17 UTC 
Description of problem:

Multiple vulnerabilities found in GNU gzip also apply to lha, namely:
CVE-2006-4335, CVE-2006-4337 and CVE-2006-4338.

Those are described in detail in
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=204676

Version-Release number of selected component (if applicable):
RHEL 2.1, RHEL 3, RHEL 4 and FC 5

How reproducible:

Reproducers available for gzip do not work.

Additional info:

As it's Christmas soon, my Christmas presence for you is the backported patch,
so you don't have to deal with change of coding style between the releases :)
Comment 1 Lubomir Kundrak 2006-12-22 12:40:17 UTC 
Created attachment 144273 [details]
Backported patch for releases after RHEL 2.1
Comment 2 Lubomir Kundrak 2006-12-22 12:42:53 UTC 
Created attachment 144274 [details]
Backported patch for RHEL 2.1 release
Comment 4 Red Hat Bugzilla 2009-10-23 19:03:31 UTC 
Reporter changed to security-response-team by request of Jay Turner.
Comment 5 Vincent Danen 2010-12-22 16:39:58 UTC 
This was addressed via:

Red Hat Enterprise Linux version 2.1 (RHSA-2006:0667)
Red Hat Enterprise Linux version 3 (RHSA-2006:0667)
Red Hat Enterprise Linux version 4 (RHSA-2006:0667)
Comment 6 Josh Bressers 2011-08-02 18:19:20 UTC 
Statement:

Red Hat no longer plans to fix this issue in lha for Red Hat Enterprise Linux 4.