The latest security patches for rhel #126740 have not made it into
fedora core yet, the included lha-1.14i-14 still looks vulnerable.
This entry shall serve as a reminder, since lha runs in a lot of
mail-scanners and may thus be remotely exploitable.
Created attachment 103533 [details]
dir_length bounds check from rhel3
Created attachment 103534 [details]
patch for extract_one and others from rhel
Created attachment 103535 [details]
New specfile to build fixed lha-1.14i-15
it's already built for fc1 and fc2. both still need to be signed and
pushed to download site.