Red Hat 8853 Published by

Updated lha packages are available for Red Hat Linux 7.3 and 9

-----------------------------------------------------------------------
Fedora Legacy Update Advisory

Synopsis: Updated lha resolves security vulnerabilities
Advisory ID: FLSA:1833
Issue date: 2004-10-13
Product: Red Hat Linux
Keywords: Security
Cross references: https://bugzilla.fedora.us/show_bug.cgi?id=1833
CVE Names: CAN-2004-0234, CAN-2004-0235, CAN-2004-0694,
CAN-2004-0745, CAN-2004-0769, CAN-2004-0771
-----------------------------------------------------------------------


-----------------------------------------------------------------------
1. Topic:

Updated lha packages that fix multiple security vulnerabilities are now available.

LHA is an archiving and compression utility for LHarc format archives.

2. Relevant releases/architectures:

Red Hat Linux 7.3 - i386
Red Hat Linux 9 - i386



3. Problem description:

Ulf Harnhammar discovered two stack buffer overflows and two directory traversal flaws in LHA.

An attacker could exploit the buffer overflows by creating a carefully crafted LHA archive in such a way that arbitrary code would be executed when the archive is tested or extracted by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0234 to this issue.

An attacker could exploit the directory traversal issues to create files as the victim outside of the expected directory. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0235 to this issue.

Lukasz Wojtow discovered a stack-based buffer overflow in all versions of lha up to and including version 1.14. A carefully created archive could allow an attacker to execute arbitrary code when a victim extracts or tests the archive. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0769 to this issue.

Buffer overflows were discovered in the command line processing of all versions of lha up to and including version 1.14. If a malicious user could trick a victim into passing a specially crafted command line to the lha command, it is possible that arbitrary code could be executed. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2004-0771 and CAN-2004-0694 to these issues.

Thomas Biege discovered a shell meta character command execution vulnerability in all versions of lha up to and including 1.14. An attacker could create a directory with shell meta characters in its name which could lead to arbitrary command execution. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0745 to this issue.

All users are advised to upgrade to these updated packages, which contain a backported fix and are not vulnerable to this issue.

4. Solution:

Before applying this update, make sure all previously released errata relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs.

Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www fedoralegacy.org/docs for directions on how to configure yum and apt-get.

5. Bug IDs fixed:

http://bugzilla.fedora.us - 1833 - CAN-2004-0694,0745,0769,0771 -
Another buffer overflow in LHA
http://bugzilla.fedora.us - 1547 - LHA directory traversal, buffer
overflow vulns

6. RPMs required:

Red Hat Linux 7.3:

SRPM:
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/lha-1.14i-4.7.3.3
.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/7.3/updates/i386/lha-1.14i-4.7.3.3.
legacy.i386.rpm

Red Hat Linux 9:

SRPM:
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/lha-1.14i-9.4.legac
y.src.rpm

i386:
http://download.fedoralegacy.org/redhat/9/updates/i386/lha-1.14i-9.4.legacy
.i386.rpm

7. Verification:

SHA1 sum Package Name
---------------------------------------------------------------------------

421a0998d84a2b75ebaa0bb334273ce1dad2be88

7.3/updates/i386/lha-1.14i-4.7.3.3.legacy.i386.rpm
aa6033fd436ea908b38b2035f096223f92ed780d

7.3/updates/SRPMS/lha-1.14i-4.7.3.3.legacy.src.rpm
4458d9eec9f7706070f67e0263aab497bced075a

9/updates/i386/lha-1.14i-9.4.legacy.i386.rpm
b1ae50a84ca44b9e515757b6e0363ce5bf53d8ab

9/updates/SRPMS/lha-1.14i-9.4.legacy.src.rpm

These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php

You can verify each package with the following command:

rpm --checksig -v filename

If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command:

sha1sum filename

8. References:

http://marc.theaimsgroup.com/?l=bugtraq&m=108668791510153
http://lw.ftw.zamosc.pl/lha-exploit.txt

9. Contact:

The Fedora Legacy security contact is secnotice@fedoralegacy.org. More project details at http://www.fedoralegacy.org