LHA multiple buffer overflows

lha-multiple-bo (16012)

High Risk

Description:

LHA is vulnerable to two buffer overflows, caused by improper bounds checking. A remote attacker could create a specially-crafted LHA archive to overflow the buffers and execute arbitrary code on the victim's system, once the victim tests or extracts the archive.

Platforms Affected:

• Barracuda Networks, Barracuda Spam Firewall prior to 3.3.03.022
• Conectiva, Linux 8.0
• Conectiva, Linux 9.0
• Debian, Debian Linux 3.0
• Gentoo, Linux
• Novell, UnitedLinux 1.0
• RedHat, Enterprise Linux 2.1 ES
• RedHat, Enterprise Linux 2.1 AS
• RedHat, Enterprise Linux 2.1 WS
• RedHat, Enterprise Linux 2.1 AW
• RedHat, Enterprise Linux 3 WS
• RedHat, Enterprise Linux 3 ES
• RedHat, Enterprise Linux 3 Desktop
• RedHat, Enterprise Linux 3 AS
• RedHat, Linux 9.0
• RedHat, Linux Advanced Workstation 2.1 Itanium
• Slackware, Slackware Linux 8.1
• Slackware, Slackware Linux 9.0
• Slackware, Slackware Linux 9.1
• Slackware, Slackware Linux current
• SuSE, SuSE Linux 8.1
• SuSE, SuSE Linux 9.0
• SuSE, SuSE Linux 9.1
• SuSE, SuSE Linux Connectivity Server
• SuSE, SuSE Linux Database Server
• SuSE, SuSE Linux Desktop 1.0
• SuSE, SuSE Linux Enterprise Server 7.0
• SuSE, SuSE Linux Office Server
• Tsugio Okamoto, LHA

Remedy:

For Red Hat Linux 9:
Upgrade to the latest version of LHA (1.14i-9.1 or later), as listed in RHSA-2004:179-03. See References.

For Red Hat Linux:
Upgrade to the latest LHA package, as listed below. Refer to RHSA-2004:178-01 for more information. See References.

Red Hat Enterprise Linux AS (v. 2.1), ES (v. 2.1), WS (v. 2.1), and Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor: 1.00-17.2 or later

Red Hat Enterprise Linux AS (v. 3), ES (v. 3), WS (v. 3), Desktop: 1.14i-10.2.x86_64 or later

For Conectiva Linux:
Upgrade to the latest lha package, as listed below. Refer to Conectiva Linux Security Announcement CLSA-2004:840 for more information. See References.

Conectiva Linux 8: 1.14i-2U80_1cl or later
Conectiva Linux 9: 1.14i-8382U90_1cl or later

For Gentoo Linux:
Upgrade to the latest version of lha (114i-r2 or later), as listed in GLSA 200405-02. See References.

For Slackware Linux: Upgrade to the latest bin package, as listed below. Refer to slackware-security Mailing List, Tue, 4 May 2004 16:34:52 -0700 (PDT) for more information. See References. Slackware Linux 8.1: 8.3.0-i386-32 or later Slackware Linux 9.0: 8.5.0-i386-2 or later Slackware Linux 9.1: 8.5.0-i486-2 or later Slackware Linux -current: 9.0.0-i486-2 or later

For Debian GNU/Linux 3.0 (alias woody):

Upgrade to the latest lha package (1.14i-2woody1 or later), as listed in DSA-515-1. See References.

For Barracuda Spam Firewall:
Upgrade to the latest firmware version (3.3.03.022 or later) and spamdef version (3.0.10045 or later) available from the Barracuda Web Site. See References.

For other distributions:
Contact your vendor for upgrade or patch information.

Consequences:

Gain Access

References:

• Barracuda Web site, Spam Filter / Spam Firewall / Spyware Filter / Spam Appliance / Spyware Appliance at http://www.barracudanetworks.com/ns/?L=en.
• Conectiva Linux Security Announcement CLSA-2004:840, lha at http://distro.conectiva.com/atualizacoes/index.php?id=a&anuncio=000840.
• Full-Disclosure Mailing List, Mon Apr 03 2006 - 18:51:15 CDT, Barracuda ZOO archiver security bug leads to remote compromise at http://archives.neohapsis.com/archives/fulldisclosure/2006-04/0062.html.
• Full-Disclosure Mailing List, Mon Apr 03 2006 - 18:51:17 CDT, Barracuda LHA archiver security bug leads to remote compromise at http://archives.neohapsis.com/archives/fulldisclosure/2006-04/0063.html.
• GLSA 200405-02, Multiple vulnerabilities in LHa at http://www.linuxsecurity.com/content/view/106018/104/.
• slackware-security Mailing List, Tue, 4 May 2004 16:34:52 -0700 (PDT), lha update in bin package (SSA:2004-125-01) at http://www.slackware.org/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.389726.
• BID-10243: Multiple LHA Buffer Overflow/Directory Traversal Vulnerabilities
• CVE-2004-0234: Multiple stack-based buffer overflows in the get_header function in header.c for LHA 1.14, as used in products such as Barracuda Spam Firewall, allow remote attackers or local users to execute arbitrary code via long directory or file names in an LHA archive, which triggers the overflow when testing or extracting the archive.
• DSA-515: lha -- several vulnerabilities
• GLSA-200405-02: Multiple vulnerabilities in LHa
• OSVDB ID: 5753: LHA get_header File Name Overflow
• OSVDB ID: 5754: LHA get_header Directory Name Overflow
• RHSA-2004-178: lha security update
• RHSA-2004-179: An updated LHA package fixes security vulnerabilities
• SA19514: Barracuda Spam Firewall Archives Buffer Overflow Vulnerabilities
• SECTRACK ID: 1015866: Barracuda Spam Firewall Buffer Overflows in Processing LHA and ZOO Archives Let Remote Users Execute Arbitrary Code
• SUSE-SA:2004:010: Linux Kernel: privilege escalation local DoS
• SUSE-SA:2004:011: Live CD 9.1: remote root access
• VUPEN/ADV-2006-1220: Barracuda Spam Firewall Archives Handling Buffer Overflow Vulnerabilities

Reported:

Apr 30, 2004

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page