(Conectiva Issues Fix) lha Buffer Overflows Let Remote Users Create Malicious Archives to Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1010086 |
|
SecurityTracker URL: http://securitytracker.com/id/1010086
|
|
CVE Reference:
CAN-2004-0234, CAN-2004-0235
(Links to External Site)
|
Date: May 6 2004
|
Impact:
Execution of arbitrary code via network, Modification of system information, Modification of user information, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
|
Description:
Several vulnerabilities were reported in the 'lha' LHarc archive processor. A remote user can create a malicious archive that will execute arbitrary code or write files to other directories on the system.
Red Hat reported that there are two stack buffer overflows and two directory traversal flaws in LHA.
A remote user can create a specially crafted LHA archive that, when loaded by the target user, will execute arbitrary code on the target user's system.
A remote user can also create a specially crafted LHA archive that, when expanded by the target user, will create files on the target user's system in a location outside of the current directory.
Ulf Harnhammar is credited with discovering these flaws.
|
Impact:
A remote user can create an archive that, when processed by a target user, will execute arbitrary code on the target user's system with the privileges of the target user or will create files on the target user's system that are located outside of the expected directory.
|
Solution:
Conectiva has released a fix.
ftp://atualizacoes.conectiva.com.br/8/RPMS/lha-1.14i-2U80_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/SRPMS/lha-1.14i-2U80_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/lha-1.14i-8382U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/SRPMS/lha-1.14i-8382U90_1cl.src.rpm
|
Cause:
Access control error, Boundary error, Input validation error
|
Underlying OS:
Linux (Conectiva)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Thu, 6 May 2004 18:21:06 -0300
Subject: [conectiva-updates] [CLA-2004:840] Conectiva Security Announcement - lha
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --------------------------------------------------------------------------
CONECTIVA LINUX SECURITY ANNOUNCEMENT
- --------------------------------------------------------------------------
PACKAGE : lha
SUMMARY : Buffer overflow and directory traversal vulnerabilities
DATE : 2004-05-06 18:20:00
ID : CLA-2004:840
RELEVANT
RELEASES : 8, 9
- -------------------------------------------------------------------------
DESCRIPTION
Lha is an archiving and compression utility for LHarc format
archives.
Ulf Härnhammar discovered a buffer overflow[1] and a directory
traversal [2]vulnerability in the lha utility. Both vulnerabilities
can be exploited by an attacker with the use of specially crafted
LHarc archives. When processed by lha, these files may cause it to
execute arbitrary code (exploiting the buffer overflow vulnerability)
or overwrite arbitrary files if the user unpacking the malicious
archive has sufficient filesystem permissions to do so (exploiting
the directory traversal vulnerability).
This update fixes both issues.
SOLUTION
All users of the lha utility should upgrade.
REFERENCES:
1.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0234
2.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0235
UPDATED PACKAGES
ftp://atualizacoes.conectiva.com.br/8/RPMS/lha-1.14i-2U80_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/SRPMS/lha-1.14i-2U80_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/lha-1.14i-8382U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/SRPMS/lha-1.14i-8382U90_1cl.src.rpm
ADDITIONAL INSTRUCTIONS
The apt tool can be used to perform RPM packages upgrades:
- run: apt-get update
- after that, execute: apt-get upgrade
Detailed instructions regarding the use of apt and upgrade examples
can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en
- -------------------------------------------------------------------------
All packages are signed with Conectiva's GPG key. The key and instructions
on how to import it can be found at
http://distro.conectiva.com.br/seguranca/chave/?idioma=en
Instructions on how to check the signatures of the RPM packages can be
found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en
- -------------------------------------------------------------------------
All our advisories and generic update instructions can be viewed at
http://distro.conectiva.com.br/atualizacoes/?idioma=en
- -------------------------------------------------------------------------
Copyright (c) 2004 Conectiva Inc.
http://www.conectiva.com
- -------------------------------------------------------------------------
subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br
unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQFAmqxB42jd0JmAcZARAnFuAJ4vNF1BtKwnj+gPNkbJX9uDd8R8cACgn/m2
0Zdnd2yki0ohO0H2oIKkoNE=
=CoA6
-----END PGP SIGNATURE-----
|
|
