Bug 220596

Summary: CVE-2006-4335/7/8 multiple vulnerabilities in lha
Product: [Fedora] Fedora Reporter: Lubomir Kundrak <lkundrak>
Component: lhaAssignee: Tomas Smetana <tsmetana>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: 5Keywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://sourceforge.jp/projects/lha/document/lha_1.14i-ac20050924p1_-_Changes/
Whiteboard: impact=low,reported=20061204,public=20061202,source=debian
Fixed In Version: 1.14i-20 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-06-05 08:12:35 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Lubomir Kundrak 2006-12-22 12:42:01 UTC 
+++ This bug was initially created as a clone of Bug #220595 +++

Description of problem:

Multiple vulnerabilities found in GNU gzip also apply to lha, namely:
CVE-2006-4335, CVE-2006-4337 and CVE-2006-4338.

Those are described in detail in
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=204676

Version-Release number of selected component (if applicable):
RHEL 2.1, RHEL 3, RHEL 4 and FC 5

How reproducible:

Reproducers available for gzip do not work.

Additional info:

As it's Christmas soon, my Christmas presence for you is the backported patch,
so you don't have to deal with change of coding style between the releases :)

-- Additional comment from lkundrak on 2006-12-22 07:40 EST --
Created an attachment (id=144273)
Backported patch for releases after RHEL 2.1
Comment 1 Tomas Smetana 2007-05-31 08:33:26 UTC 
The lha package is not in FC6 or newer... Changed version to FC5.