| Summary: | lha new security issue CVE-2016-1925 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | herman.viaene, nicolas.salguero, sysadmin-bugs, wilcal.int |
| Version: | 5 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/684749/ | ||
| Whiteboard: | has_procedure advisory MGA5-32-OK MGA5-64-OK | ||
| Source RPM: | lha-1.14i-26.mga5.src.rpm | CVE: | |
| Status comment: | |||
| Attachments: | lha example | ||
|
Description
David Walser
2016-01-19 18:36:05 CET
David Walser
2016-01-19 18:36:12 CET
Whiteboard:
(none) =>
MGA5TOO Assigning to packagers collectively with the registered maintainer in CC. If working on it, please assign the bug report to yourself. Assignee:
bugsquad =>
pkg-bugs Hi, The code from upstream is so totally different from the code in our package that I think we should package a new version based upon the latest git commit (our code seems to have not changed since 2005 at least so I am not sure CVE-2016-1925 is the only security bug we have). As a bonus, the version from 2016-02-02 upstream code that I packaged locally has an English man page and a "--help option". Best regards, Nico. CC:
(none) =>
nicolas.salguero
Nicolas Salguero
2016-04-14 15:19:10 CEST
Assignee:
pkg-bugs =>
nicolas.salguero Suggested advisory: ======================== The updated package corrects a buffer overflow (CVE-2016-1925). ======================== Updated packages in core/updates_testing: ======================== i586: lha-1.14i-20160202.1.mga5.i586.rpm x86_64: lha-1.14i-20160202.1.mga5.x86_64.rpm Source RPMs: lha-1.14i-20160202.1.mga5.src.rpm Status:
NEW =>
ASSIGNED Thanks Nicolas! Suggested advisory: ======================== Updated lha package fixes security vulnerability: The lha command is vulnerable to a buffer overflow while processing level 0 and level 1 headers while extracting an archive (CVE-2016-1925). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1925 http://openwall.com/lists/oss-security/2016/01/18/8 In VirtualBox, M5, KDE, 32-bit Package(s) under test: lha default install of lha [root@localhost wilcal]# urpmi lha Package lha-1.14i-26.mga5.i586 is already installed I don't understand how to format the command. See attachment. CC:
(none) =>
wilcal.int Created attachment 7677 [details]
lha example
I found this: http://www.pconhand.com/lha.asp Hi, In your example, the right syntax is: "lha a test.lzh test.jpg". Best regards, Nico. (In reply to Nicolas Salguero from comment #8) > In your example, the right syntax is: "lha a test.lzh test.jpg". Neither: lha a test.lzh test.jpg lha a test.jpg test.lzh work. :-(( [wilcal@localhost lha]$ lha a test.lzh test.jpg LHa: Fatal error: /tmp/lhH8dayH: File exists Seems to be building lots of these files in /tmp Yes, I get the same error with the old version of lha. "lha a test.lzh test.jpg" works with the new version. In fact, I am pretty sure lha did not work at all in the old version. (In reply to Nicolas Salguero from comment #10) > In fact, I am pretty sure lha did not work at all in the old version. Seems that way. I'll fire up the test system again tomorrow and we'll get this turkey behind us. MGA-32 on Acer D620 Xfce No installation issues. At ClI: $ lha a P1013241.lzh P1013241.JPG P1013241.JPG - Frozen(99%) oooooooooooooooooooooooooooooooooooooooooooooo The file P1013241.lzh was created which I could open with ark and view the picture therein. CC:
(none) =>
herman.viaene In VirtualBox, M5, KDE, 32-bit Package(s) under test: lha default install of lha [root@localhost lha]# urpmi lha Package lha-1.14i-20160202.1.mga5.i586 is already installed [wilcal@localhost lha]$ lha a test.lzh test.jpg test.jpg - Frozen(99%) oooooooooooooooooooooooooooooooooooooo created test.lzh In VirtualBox, M5, KDE, 64-bit Package(s) under test: lha default install of lha [root@localhost lha]# urpmi lha Package lha-1.14i-20160202.1.mga5.x86_64 is already installed [wilcal@localhost lha]$ lha a test.lzh test.jpg test.jpg - Frozen(98%) ooooo created test.lzh This update works fine. Testing complete for MGA5, 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push to updates. Great work everyone. Thanks. Keywords:
(none) =>
validated_update Advisory uploaded. Whiteboard:
has_procedure MGA5-32-OK MGA5-64-OK =>
has_procedure advisory MGA5-32-OK MGA5-64-OK An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0142.html Status:
ASSIGNED =>
RESOLVED
David Walser
2016-04-22 18:34:33 CEST
URL:
(none) =>
http://lwn.net/Vulnerabilities/684749/ |