A CVE was assigned for a buffer overflow fixed upstream in lha: http://openwall.com/lists/oss-security/2016/01/18/8 The upstream fix is here: https://osdn.jp/projects/lha/scm/git/lha/commits/bf2471f59ecc1aa45645d967bc9fa0efa3de3556 Our lha is probably affected, but the code is quite different, so the fix would need to be rewritten. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA5TOO
Assigning to packagers collectively with the registered maintainer in CC. If working on it, please assign the bug report to yourself.
Assignee: bugsquad => pkg-bugs
Hi, The code from upstream is so totally different from the code in our package that I think we should package a new version based upon the latest git commit (our code seems to have not changed since 2005 at least so I am not sure CVE-2016-1925 is the only security bug we have). As a bonus, the version from 2016-02-02 upstream code that I packaged locally has an English man page and a "--help option". Best regards, Nico.
CC: (none) => nicolas.salguero
Assignee: pkg-bugs => nicolas.salguero
Suggested advisory: ======================== The updated package corrects a buffer overflow (CVE-2016-1925). ======================== Updated packages in core/updates_testing: ======================== i586: lha-1.14i-20160202.1.mga5.i586.rpm x86_64: lha-1.14i-20160202.1.mga5.x86_64.rpm Source RPMs: lha-1.14i-20160202.1.mga5.src.rpm
Status: NEW => ASSIGNEDHardware: i586 => AllVersion: Cauldron => 5Assignee: nicolas.salguero => qa-bugsWhiteboard: MGA5TOO => (none)
Thanks Nicolas! Suggested advisory: ======================== Updated lha package fixes security vulnerability: The lha command is vulnerable to a buffer overflow while processing level 0 and level 1 headers while extracting an archive (CVE-2016-1925). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1925 http://openwall.com/lists/oss-security/2016/01/18/8
In VirtualBox, M5, KDE, 32-bit Package(s) under test: lha default install of lha [root@localhost wilcal]# urpmi lha Package lha-1.14i-26.mga5.i586 is already installed I don't understand how to format the command. See attachment.
CC: (none) => wilcal.int
Created attachment 7677 [details] lha example
I found this: http://www.pconhand.com/lha.asp
Hi, In your example, the right syntax is: "lha a test.lzh test.jpg". Best regards, Nico.
(In reply to Nicolas Salguero from comment #8) > In your example, the right syntax is: "lha a test.lzh test.jpg". Neither: lha a test.lzh test.jpg lha a test.jpg test.lzh work. :-(( [wilcal@localhost lha]$ lha a test.lzh test.jpg LHa: Fatal error: /tmp/lhH8dayH: File exists Seems to be building lots of these files in /tmp
Yes, I get the same error with the old version of lha. "lha a test.lzh test.jpg" works with the new version. In fact, I am pretty sure lha did not work at all in the old version.
(In reply to Nicolas Salguero from comment #10) > In fact, I am pretty sure lha did not work at all in the old version. Seems that way. I'll fire up the test system again tomorrow and we'll get this turkey behind us.
MGA-32 on Acer D620 Xfce No installation issues. At ClI: $ lha a P1013241.lzh P1013241.JPG P1013241.JPG - Frozen(99%) oooooooooooooooooooooooooooooooooooooooooooooo The file P1013241.lzh was created which I could open with ark and view the picture therein.
CC: (none) => herman.viaeneWhiteboard: (none) => has_procedure MGA5-32-OK
In VirtualBox, M5, KDE, 32-bit Package(s) under test: lha default install of lha [root@localhost lha]# urpmi lha Package lha-1.14i-20160202.1.mga5.i586 is already installed [wilcal@localhost lha]$ lha a test.lzh test.jpg test.jpg - Frozen(99%) oooooooooooooooooooooooooooooooooooooo created test.lzh
In VirtualBox, M5, KDE, 64-bit Package(s) under test: lha default install of lha [root@localhost lha]# urpmi lha Package lha-1.14i-20160202.1.mga5.x86_64 is already installed [wilcal@localhost lha]$ lha a test.lzh test.jpg test.jpg - Frozen(98%) ooooo created test.lzh
This update works fine. Testing complete for MGA5, 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push to updates. Great work everyone. Thanks.
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA5-32-OK => has_procedure MGA5-32-OK MGA5-64-OKCC: (none) => sysadmin-bugs
Advisory uploaded.
Whiteboard: has_procedure MGA5-32-OK MGA5-64-OK => has_procedure advisory MGA5-32-OK MGA5-64-OK
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0142.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/684749/