Debian Bug report logs -
#401301
lha: LHa Multiple Vulnerabilities
Reported by: Stefan Fritsch <sf@sfritsch.de>
Date: Sat, 2 Dec 2006 13:03:11 UTC
Severity: grave
Tags: security
Found in version lha/1.14i-10
Fixed in version 1.14i-10.1
Done: Moritz Muehlenhoff <jmm@inutil.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, GOTO Masanori <gotom@debian.org>
:
Bug#401301
; Package lha
.
(full text, mbox, link).
Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>
:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, GOTO Masanori <gotom@debian.org>
.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: lha
Version: 1.14i-10
Severity: grave
Tags: security
Justification: user security hole
LHA seems to be affected by
CVE-2006-4335
CVE-2006-4337
CVE-2006-4338
See
http://secunia.com/advisories/23153/
for details
Information forwarded to debian-bugs-dist@lists.debian.org, GOTO Masanori <gotom@debian.org>
:
Bug#401301
; Package lha
.
(full text, mbox, link).
Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to GOTO Masanori <gotom@debian.org>
.
(full text, mbox, link).
Message #10 received at 401301@bugs.debian.org (full text, mbox, reply):
On Sat, Dec 02, 2006 at 01:54:57PM +0100, Stefan Fritsch wrote:
> Package: lha
> Version: 1.14i-10
> Severity: grave
> Tags: security
> Justification: user security hole
>
>
> LHA seems to be affected by
> CVE-2006-4335
> CVE-2006-4337
> CVE-2006-4338
If GNU gzip can handle LHA archives I'm wondering if the non-free
lha is really worth keeping?
Cheers,
Moritz
Information forwarded to debian-bugs-dist@lists.debian.org, GOTO Masanori <gotom@debian.org>
:
Bug#401301
; Package lha
.
(full text, mbox, link).
Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>
:
Extra info received and forwarded to list. Copy sent to GOTO Masanori <gotom@debian.org>
.
(full text, mbox, link).
Message #15 received at 401301@bugs.debian.org (full text, mbox, reply):
On Tuesday 05 December 2006 23:48, Moritz Muehlenhoff wrote:
> If GNU gzip can handle LHA archives I'm wondering if the non-free
> lha is really worth keeping?
I don't think gzip can handle LHA archives. It just supports one
obscure format that uses LHA's algorithm.
BTW, in combination with amavisd-new and possibliy with clamav, this
issue may allow remote code execution. At least amavisd-new uses lha
by default when it is installed.
Stefan
Information forwarded to debian-bugs-dist@lists.debian.org, GOTO Masanori <gotom@debian.org>
:
Bug#401301
; Package lha
.
(full text, mbox, link).
Acknowledgement sent to Andreas Barth <aba@not.so.argh.org>
:
Extra info received and forwarded to list. Copy sent to GOTO Masanori <gotom@debian.org>
.
(full text, mbox, link).
Message #20 received at 401301@bugs.debian.org (full text, mbox, reply):
* Stefan Fritsch (sf@sfritsch.de) [061202 04:55]:
> LHA seems to be affected by
> CVE-2006-4335
> CVE-2006-4337
> CVE-2006-4338
All these bugs seem to be in gzip, not in lha?
Cheers,
Andi
--
http://home.arcor.de/andreas-barth/
Reply sent to Moritz Muehlenhoff <jmm@inutil.org>
:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Stefan Fritsch <sf@sfritsch.de>
:
Bug acknowledged by developer.
(full text, mbox, link).
Message #25 received at 401301-done@bugs.debian.org (full text, mbox, reply):
Version: 1.14i-10.1
Information forwarded to debian-bugs-dist@lists.debian.org
:
Bug#401301
; Package lha
.
(full text, mbox, link).
Acknowledgement sent to GOTO Masanori <gotom@debian.org>
:
Extra info received and forwarded to list.
(full text, mbox, link).
Message #30 received at 401301@bugs.debian.org (full text, mbox, reply):
At Wed, 13 Dec 2006 15:03:26 -0800,
Debian Bug Tracking System wrote:
> To: 401301-done@bugs.debian.org
> Subject: Fixed
> From: Moritz Muehlenhoff <jmm@inutil.org>
> Date: Wed, 13 Dec 2006 23:35:27 +0100
> Message-ID: <20061213223527.GA3405@galadriel.inutil.org>
>
> Version: 1.14i-10.1
Thanks for your help! I'll check the patch.
Regards,
-- gotom
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sat, 30 Jun 2007 07:26:07 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:59:06 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.