Description of problem: Multiple vulnerabilities found in GNU gzip also apply to lha, namely: CVE-2006-4335, CVE-2006-4337 and CVE-2006-4338. Those are described in detail in http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=204676 Version-Release number of selected component (if applicable): RHEL 2.1, RHEL 3, RHEL 4 and FC 5 How reproducible: Reproducers available for gzip do not work. Additional info: As it's Christmas soon, my Christmas presence for you is the backported patch, so you don't have to deal with change of coding style between the releases :)
Created attachment 144273 [details] Backported patch for releases after RHEL 2.1
Created attachment 144274 [details] Backported patch for RHEL 2.1 release
Reporter changed to security-response-team by request of Jay Turner.
This was addressed via: Red Hat Enterprise Linux version 2.1 (RHSA-2006:0667) Red Hat Enterprise Linux version 3 (RHSA-2006:0667) Red Hat Enterprise Linux version 4 (RHSA-2006:0667)
Statement: Red Hat no longer plans to fix this issue in lha for Red Hat Enterprise Linux 4.