Red Hat says lha vulnerable to attack

Red Hat recommends users update their lha packages to solve vulnerabilities that can trigger a buffer overflow or launch arbitrary code.

Red Hat recommends those who use the lha archiving and compression tool update their packages to fix vulnerabilities attackers could exploit to trigger a buffer overflow or execute arbitrary code.

The advisory said researcher Lukasz Wojtow discovered a stack-based buffer overflow in all versions of lha -- an archiving and compression utility for "lharc" format archives -- up to and including version 1.14.

"A carefully created archive could allow an attacker to execute arbitrary code when a victim extracts or tests the archive," Red Hat said. "If a malicious user could trick a victim into passing a specially crafted command line to the lha command, it is possible that arbitrary code could be executed. An updated lha package that fixes a buffer overflow is now available."

The advisory said researcher Thomas Biege discovered another problem: a shell meta character command execution vulnerability in all versions of lha up to and including 1.14.

"An attacker could create a directory with shell meta characters in its name which could lead to arbitrary command execution," Red Hat said.

The advisory recommended users of lha switch to the updated package, which contains "backported" patches that are not vulnerable to these issues. The problems affect the following products:

  • Red Hat Desktop (v. 3)
  • Red Hat Enterprise Linux AS (v. 3)
  • Red Hat Enterprise Linux ES (v. 3)
  • Red Hat Enterprise Linux WS (v. 3)

Dig deeper on Application Attacks (Buffer Overflows, Cross-Site Scripting)

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close