Bug 131948 - CAN-2004-0694, CAN-2004-0745, CAN-2004-0769, CAN-2004-0771 lha security flaws
Summary: CAN-2004-0694, CAN-2004-0745, CAN-2004-0769, CAN-2004-0771 lha security flaws
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: lha   
(Show other bugs)
Version: 2
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Ngo Than
QA Contact:
URL: https://rhn.redhat.com/errata/RHSA-20...
Whiteboard:
Keywords: Security
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2004-09-07 10:07 UTC by Bernhard Weisshuhn
Modified: 2007-11-30 22:10 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-09-07 13:01:42 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
dir_length bounds check from rhel3 (581 bytes, patch)
2004-09-07 10:19 UTC, Bernhard Weisshuhn
no flags Details | Diff
patch for extract_one and others from rhel (6.29 KB, patch)
2004-09-07 10:21 UTC, Bernhard Weisshuhn
no flags Details | Diff
New specfile to build fixed lha-1.14i-15 (3.22 KB, text/plain)
2004-09-07 10:22 UTC, Bernhard Weisshuhn
no flags Details

Description Bernhard Weisshuhn 2004-09-07 10:07:12 UTC
The latest security patches for rhel #126740 have not made it into
fedora core yet, the included lha-1.14i-14 still looks vulnerable.
This entry shall serve as a reminder, since lha runs in a lot of
mail-scanners and may thus be remotely exploitable.

See https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=126740
http://rhn.redhat.com/errata/RHSA-2004-323.html

Comment 1 Bernhard Weisshuhn 2004-09-07 10:19:13 UTC
Created attachment 103533 [details]
dir_length bounds check from rhel3

Comment 2 Bernhard Weisshuhn 2004-09-07 10:21:06 UTC
Created attachment 103534 [details]
patch for extract_one and others from rhel

Comment 3 Bernhard Weisshuhn 2004-09-07 10:22:29 UTC
Created attachment 103535 [details]
New specfile to build fixed lha-1.14i-15

Comment 4 Ngo Than 2004-09-07 13:01:42 UTC
it's already built for fc1 and fc2. both still need to be signed and
pushed to download site.


Note You need to log in before you can comment on or make changes to this bug.