[Japanese]

JVNDB-2004-000169

LHa Vuffer Overflow Vulnerability in Testing and Extracting Process

Overview

LHa for UNIX does not handle the header length information properly when testing or extracting an archive, which could lead to buffer overflow.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 10.0 (High) [NVD Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: Complete
  • Integrity Impact: Complete
  • Availability Impact: Complete
Affected Products


LHa for UNIX project
  • LHa for UNIX 1.17 and earlier
Red Hat, Inc.
  • Red Hat Enterprise Linux 2.1 (as)
  • Red Hat Enterprise Linux 3 (as)
  • Red Hat Enterprise Linux 2.1 (es)
  • Red Hat Enterprise Linux 3 (es)
  • Red Hat Enterprise Linux 2.1 (ws)
  • Red Hat Enterprise Linux 3 (ws)
  • Red Hat Enterprise Linux Desktop 3.0
  • Red Hat Linux 9
  • Red Hat Linux Advanced Workstation 2.1

Impact

An attacker could execute arbitrary code with the privilege of the user running LHa.
Solution

Please refer to the 'Vendor Information' section for official remediation and take appropriate action.
Vendor Information

LHa for UNIX project Red Hat, Inc.
CWE (What is CWE?)

CVE (What is CVE?)

  1. CVE-2004-0234
References

  1. National Vulnerability Database (NVD) : CVE-2004-0234
  2. Open Vulnerability and Assessment Language (OVAL) : 977
  3. SecurityFocus : 10243
  4. SecurityFocus : LHA Advisory + Patch (marc.info)
  5. ISS X-Force Database : 16012
  6. SecurityTracker : 1015866
  7. FrSIRT Advisories : FrSIRT/ADV-2006-1220
  8. OPEN SOURCE VULNERABILITY DATABASE (OSVDB) : 5753
  9. OPEN SOURCE VULNERABILITY DATABASE (OSVDB) : 5754
Revision History

  • [2008/05/21]
      Web page published