Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2006-4335 CVE-2006-4337 CVE-2006-4338

Source

Debian Bug report logs - #401301
lha: LHa Multiple Vulnerabilities

Package: lha; Maintainer for lha is (unknown);

Reported by: Stefan Fritsch <sf@sfritsch.de>

Date: Sat, 2 Dec 2006 13:03:11 UTC

Severity: grave

Tags: security

Found in version lha/1.14i-10

Fixed in version 1.14i-10.1

Done: Moritz Muehlenhoff <jmm@inutil.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, GOTO Masanori <gotom@debian.org>:
Bug#401301; Package lha. (full text, mbox, link).

Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, GOTO Masanori <gotom@debian.org>. (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Package: lha
Version: 1.14i-10
Severity: grave
Tags: security
Justification: user security hole


LHA seems to be affected by 
CVE-2006-4335
CVE-2006-4337
CVE-2006-4338

See 
http://secunia.com/advisories/23153/
for details

Information forwarded to debian-bugs-dist@lists.debian.org, GOTO Masanori <gotom@debian.org>:
Bug#401301; Package lha. (full text, mbox, link).

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to GOTO Masanori <gotom@debian.org>. (full text, mbox, link).

Message #10 received at 401301@bugs.debian.org (full text, mbox, reply):

On Sat, Dec 02, 2006 at 01:54:57PM +0100, Stefan Fritsch wrote:
> Package: lha
> Version: 1.14i-10
> Severity: grave
> Tags: security
> Justification: user security hole
> 
> 
> LHA seems to be affected by 
> CVE-2006-4335
> CVE-2006-4337
> CVE-2006-4338

If GNU gzip can handle LHA archives I'm wondering if the non-free
lha is really worth keeping?

Cheers,
        Moritz

Information forwarded to debian-bugs-dist@lists.debian.org, GOTO Masanori <gotom@debian.org>:
Bug#401301; Package lha. (full text, mbox, link).

Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>:
Extra info received and forwarded to list. Copy sent to GOTO Masanori <gotom@debian.org>. (full text, mbox, link).

Message #15 received at 401301@bugs.debian.org (full text, mbox, reply):

On Tuesday 05 December 2006 23:48, Moritz Muehlenhoff wrote:
> If GNU gzip can handle LHA archives I'm wondering if the non-free
> lha is really worth keeping?

I don't think gzip can handle LHA archives. It just supports one 
obscure format that uses LHA's algorithm.

BTW, in combination with amavisd-new and possibliy with clamav, this 
issue may allow remote code execution. At least amavisd-new uses lha 
by default when it is installed.

Stefan

Information forwarded to debian-bugs-dist@lists.debian.org, GOTO Masanori <gotom@debian.org>:
Bug#401301; Package lha. (full text, mbox, link).

Acknowledgement sent to Andreas Barth <aba@not.so.argh.org>:
Extra info received and forwarded to list. Copy sent to GOTO Masanori <gotom@debian.org>. (full text, mbox, link).

Message #20 received at 401301@bugs.debian.org (full text, mbox, reply):

* Stefan Fritsch (sf@sfritsch.de) [061202 04:55]:
> LHA seems to be affected by 
> CVE-2006-4335
> CVE-2006-4337
> CVE-2006-4338

All these bugs seem to be in gzip, not in lha?


Cheers,
Andi
-- 
  http://home.arcor.de/andreas-barth/

Reply sent to Moritz Muehlenhoff <jmm@inutil.org>:
You have taken responsibility. (full text, mbox, link).

Notification sent to Stefan Fritsch <sf@sfritsch.de>:
Bug acknowledged by developer. (full text, mbox, link).

Message #25 received at 401301-done@bugs.debian.org (full text, mbox, reply):

Version: 1.14i-10.1

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#401301; Package lha. (full text, mbox, link).

Acknowledgement sent to GOTO Masanori <gotom@debian.org>:
Extra info received and forwarded to list. (full text, mbox, link).

Message #30 received at 401301@bugs.debian.org (full text, mbox, reply):

At Wed, 13 Dec 2006 15:03:26 -0800,
Debian Bug Tracking System wrote:
> To: 401301-done@bugs.debian.org
> Subject: Fixed
> From: Moritz Muehlenhoff <jmm@inutil.org>
> Date: Wed, 13 Dec 2006 23:35:27 +0100
> Message-ID: <20061213223527.GA3405@galadriel.inutil.org>
> 
> Version: 1.14i-10.1

Thanks for your help!  I'll check the patch.

Regards,
-- gotom

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 30 Jun 2007 07:26:07 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 18:59:06 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

lha: LHa Multiple Vulnerabilities

Debian Bug report logs - #401301
lha: LHa Multiple Vulnerabilities

Vulmon Search

About

Products

Connect

lha: LHa Multiple Vulnerabilities

Debian Bug report logs - #401301 lha: LHa Multiple Vulnerabilities

Vulmon Search

About

Products

Connect

Debian Bug report logs - #401301
lha: LHa Multiple Vulnerabilities