220595 – (CVE-2006-4335, CVE-2006-4336, CVE-2006-4337) CVE-2006-4335 CVE-2006-4336 CVE-2006-4337 multiple vulnerabilities in lha

Bug 220595 (CVE-2006-4335, CVE-2006-4336, CVE-2006-4337) - CVE-2006-4335 CVE-2006-4336 CVE-2006-4337 multiple vulnerabilities in lha

Summary: CVE-2006-4335 CVE-2006-4336 CVE-2006-4337 multiple vulnerabilities in lha

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2006-4335, CVE-2006-4336, CVE-2006-4337
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:	http://sourceforge.jp/projects/lha/do...
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2006-12-22 12:40 UTC by Red Hat Product Security
Modified:	2021-02-25 18:34 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-08-02 18:19:20 UTC
Embargoed:

Attachments	(Terms of Use)
Backported patch for releases after RHEL 2.1 (3.65 KB, patch) 2006-12-22 12:40 UTC, Lubomir Kundrak	no flags	Details \| Diff
Backported patch for RHEL 2.1 release (3.65 KB, patch) 2006-12-22 12:42 UTC, Lubomir Kundrak	no flags	Details \| Diff
View All

Description Lubomir Kundrak 2006-12-22 12:40:17 UTC

Description of problem:

Multiple vulnerabilities found in GNU gzip also apply to lha, namely:
CVE-2006-4335, CVE-2006-4337 and CVE-2006-4338.

Those are described in detail in
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=204676

Version-Release number of selected component (if applicable):
RHEL 2.1, RHEL 3, RHEL 4 and FC 5

How reproducible:

Reproducers available for gzip do not work.

Additional info:

As it's Christmas soon, my Christmas presence for you is the backported patch,
so you don't have to deal with change of coding style between the releases :)

Comment 1 Lubomir Kundrak 2006-12-22 12:40:17 UTC

Created attachment 144273 [details]
Backported patch for releases after RHEL 2.1

Comment 2 Lubomir Kundrak 2006-12-22 12:42:53 UTC

Created attachment 144274 [details]
Backported patch for RHEL 2.1 release

Comment 4 Red Hat Bugzilla 2009-10-23 19:03:31 UTC

Reporter changed to security-response-team by request of Jay Turner.

Comment 5 Vincent Danen 2010-12-22 16:39:58 UTC

This was addressed via:

Red Hat Enterprise Linux version 2.1 (RHSA-2006:0667)
Red Hat Enterprise Linux version 3 (RHSA-2006:0667)
Red Hat Enterprise Linux version 4 (RHSA-2006:0667)

Comment 6 Josh Bressers 2011-08-02 18:19:20 UTC

Statement:

Red Hat no longer plans to fix this issue in lha for Red Hat Enterprise Linux 4.

Note You need to log in before you can comment on or make changes to this bug.