| Revision Date: | 2004-09-01 | Version: | 502 |
| Title: | RHSA-2004:323: lha security update (Important) |
| Description: | LHA is an archiving and compression utility for LHarc format archives.
Lukasz Wojtow discovered a stack-based buffer overflow in all versions of lha up to and including version 1.14. A carefully created archive could allow an attacker to execute arbitrary code when a victim extracts or tests the archive. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0769 to this issue.
Buffer overflows were discovered in the command line processing of all versions of lha up to and including version 1.14. If a malicious user could trick a victim into passing a specially crafted command line to the lha command, it is possible that arbitrary code could be executed. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2004-0771 and CAN-2004-0694 to these issues.
Thomas Biege discovered a shell meta character command execution vulnerability in all versions of lha up to and including 1.14. An attacker could create a directory with shell meta characters in its name which could lead to arbitrary command execution. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0745 to this issue.
Users of lha should update to this updated package which contains backported patches and is not vulnerable to these issues.
|
| Family: | unix | Class: | patch |
| Status: | | Reference(s): | CVE-2004-0694
CVE-2004-0745
CVE-2004-0769
CVE-2004-0771
RHSA-2004:323-01
|
| Platform(s): | Red Hat Enterprise Linux 3
| Product(s): | |
| Definition Synopsis |
| Red Hat Enterprise Linux 3 is installed AND lha is earlier than 0:1.14i-10.4
AND lha is signed with Red Hat master key
|