Bug 152704 - LHA directory traversal, buffer overflow vulns
LHA directory traversal, buffer overflow vulns
Status: CLOSED CURRENTRELEASE
Product: Fedora Legacy
Classification: Retired
Component: Package request (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
https://rhn.redhat.com/errata/RHSA-20...
LEGACY, rh73
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-04-30 14:31 EDT by Barry K. Nathan
Modified: 2014-01-21 17:51 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Lawrence 2005-03-30 18:24:37 EST
RHSA-2004-179 (linked from this bug) discusses this for Red Hat 9.
(CAN-2004-0234, CAN-2004-0235 by the way)

I would guess that this affects 7.2 through 8.0, but I don't know for sure. I'll
investigate this later if nobody else does first.



------- Additional Comments From jonny.strom@netikka.fi 2004-05-01 07:45:32 ----

Uppdated packages for Redhat 7.3 based on the Redhat 9 patch are avalible at:

http://av8.netikka.fi/~johnny/fedora_legacy/rh73/

http://213.250.83.8/~johnny/fedora_legacy/rh73/lha-1.14i-4.7.3.1.legacy.i386.rpm
b1efb6dadb6197885667d60ae80bc6af

http://213.250.83.8/~johnny/fedora_legacy/rh73/lha-1.14i-4.7.3.1.legacy.src.rpm
da03428024f93e86c3ae5372231fc1f1

http://213.250.83.8/~johnny/fedora_legacy/rh73/lha-114i-sec.patch
9f883cd9bf7821e51045bfc39bb3d032

I did basic testing by uncompressing lha files and it worked as expected.



------- Additional Comments From dwb7@ccmr.cornell.edu 2004-05-04 05:05:10 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Although I do not have any lha files with which to test, have rebuilt the SRPM
on 7.3. Rebuilt binary installed fine.

- -DWB
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFAl7EMSY7s7uPf/IURAoobAJ9VygzjtXZljB6wHsJAA1H1+WZ/XgCgr7Ei
ZcD2q31QHqLAlADdsSPv1os=
=ibg3
-----END PGP SIGNATURE-----




------- Additional Comments From dwb7@ccmr.cornell.edu 2004-05-04 06:38:32 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

md5sum of the SRPM I rebuilt:

da03428024f93e86c3ae5372231fc1f1  lha-1.14i-4.7.3.1.legacy.src.rpm


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFAl8bzSY7s7uPf/IURAtIxAJwPYLBJgVy95r/vvGRxNT7dSbg8JQCgwMOI
Idh2u/5GZvN/Zn12xrrpu6E=
=4sgs
-----END PGP SIGNATURE-----




------- Additional Comments From dom@earth.li 2004-05-11 06:28:50 ----

Am unable to QA this package, since:

--17:27:42-- 
http://213.250.83.8/%7Ejohnny/fedora_legacy/rh73/lha-1.14i-4.7.3.1.legacy.src.rpm
           => `lha-1.14i-4.7.3.1.legacy.src.rpm'
Connecting to 213.250.83.8:80... failed: No route to host.




------- Additional Comments From dom@earth.li 2004-05-11 06:31:06 ----

Apologies - above issue is a local problem.



------- Additional Comments From jkeating@j2solutions.net 2004-05-18 18:52:36 ----

Looks like this only affects 7.3 and 8.0.  7.2 used a version before 1.14, all
reports state that it's 1.14 that is vuln.  I haven't done a source code audit
to confirm though, that would be nice if somebody can do this.  Looks like same
source was used from 7.3->9, so the patch should backport/forwardport cleanly to 8.0



------- Additional Comments From jkeating@j2solutions.net 2004-05-19 17:12:50 ----

8.0 packages built using the patch from comment #1

http://geek.j2solutions.net/rpms/legacy/lha/

5513fc275ce81c60b35f2bc0ec6c53dc10855cbc  8.0/lha-1.14i-7.8.0.legacy.i386.rpm
be1c1c99e7c0474e355855e54023e89fd37e9188  8.0/lha-1.14i-7.8.0.legacy.src.rpm
5429c9a8b94f71bbf1b954a47d5c2c9528ebce62  8.0/sha1sums

Please QA for entry into updates-testing.



------- Additional Comments From marcdeslauriers@videotron.ca 2004-06-05 08:25:43 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tested rh7.3 package:

da03428024f93e86c3ae5372231fc1f1  lha-1.14i-4.7.3.1.legacy.src.rpm

- - md5sum match
- - spec file looks good
- - patch looks good
- - builds OK
- - installs OK

+PUBLISH

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAwg/RLMAs/0C4zNoRAnBvAKCPx6udxskYB2J1hQUCi43R6TUVcQCePtoT
B2l304al5IZOqGcm+f+b9hE=
=8U3C
-----END PGP SIGNATURE-----




------- Additional Comments From jkeating@j2solutions.net 2004-06-16 17:38:12 ----

Pushed to updates-testing:

  http://download.fedoralegacy.org/redhat/
 
be858cbed37c43d12f2e3c8943fd5aa21331a191 
7.3/updates-testing/SRPMS/lha-1.14i-4.7.3.1.legacy.src.rpm
1809b90634cc098bb86823375f7ff07a00ce0693 
7.3/updates-testing/i386/lha-1.14i-4.7.3.1.legacy.i386.rpm




------- Additional Comments From pedrocj@terra.es 2004-06-17 11:54:38 ----

The rh80 package has been downloaded for QA. Thanks a lot for your help.



------- Additional Comments From marcdeslauriers@videotron.ca 2004-07-06 12:33:33 ----

Newer packages fixing an additional vulnerability in bug 1833



------- Bug moved to this database by dkl@redhat.com 2005-03-30 18:24 -------

This bug previously known as bug 1547 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=1547
Originally filed under the Fedora Legacy product and Package request component.

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.


Note You need to log in before you can comment on or make changes to this bug.