247599 – (CVE-2007-3375) CVE-2007-3375 lhaca issue might affect lha packages

Bug 247599 (CVE-2007-3375) - CVE-2007-3375 lhaca issue might affect lha packages

Summary: CVE-2007-3375 lhaca issue might affect lha packages

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2007-3375
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2007-07-10 09:50 UTC by Mark J. Cox
Modified:	2021-11-12 19:41 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2007-07-10 13:36:30 UTC
Embargoed:

Attachments	(Terms of Use)

Description Mark J. Cox 2007-07-10 09:50:20 UTC

CERT notified us of a flaw in Lhaca LHA Extended Header handling, but on closer
look at the advisory this looks really similar to the code in header.c in lharc
as distributed in older RHEL releases.  

http://vuln.sg/lhaca121-en.html

We need to look through the lharc code for older RHEL to make sure it is not
vulnerable to this issue.

Marking this bug as private for now, as it isn't public that this might affect
lharc too.

Comment 2 Mark J. Cox 2007-07-10 13:36:30 UTC

This is fixed in Red Hat packages by lha-114i-sec.patch.

Investigation showed that this was in fact the issue from 2004:
http://marc.info/?l=bugtraq&m=108422737918885&w=2  CVE-2004-0234

So LHACA appeared to be vulnerable to this issue due to shared codebase.

Note You need to log in before you can comment on or make changes to this bug.