News Stay informed about the latest enterprise technology news and product updates.

Red Hat says lha vulnerable to attack

Red Hat recommends users update their lha packages to solve vulnerabilities that can trigger a buffer overflow or launch arbitrary code.

Red Hat recommends those who use the lha archiving and compression tool update their packages to fix vulnerabilities...

attackers could exploit to trigger a buffer overflow or execute arbitrary code.

The advisory said researcher Lukasz Wojtow discovered a stack-based buffer overflow in all versions of lha -- an archiving and compression utility for "lharc" format archives -- up to and including version 1.14.

"A carefully created archive could allow an attacker to execute arbitrary code when a victim extracts or tests the archive," Red Hat said. "If a malicious user could trick a victim into passing a specially crafted command line to the lha command, it is possible that arbitrary code could be executed. An updated lha package that fixes a buffer overflow is now available."

The advisory said researcher Thomas Biege discovered another problem: a shell meta character command execution vulnerability in all versions of lha up to and including 1.14.

"An attacker could create a directory with shell meta characters in its name which could lead to arbitrary command execution," Red Hat said.

The advisory recommended users of lha switch to the updated package, which contains "backported" patches that are not vulnerable to these issues. The problems affect the following products:

  • Red Hat Desktop (v. 3)
  • Red Hat Enterprise Linux AS (v. 3)
  • Red Hat Enterprise Linux ES (v. 3)
  • Red Hat Enterprise Linux WS (v. 3)

Dig Deeper on Application attacks (buffer overflows, cross-site scripting)

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.