|
|
Family: Gentoo Local Security Checks --> Category: infos
[GLSA-200611-24] LHa: Multiple vulnerabilities Vulnerability Scan
Vulnerability Scan Summary
LHa: Multiple vulnerabilities
Detailed Explanation for this Vulnerability Test
The remote host is affected by the vulnerability described in GLSA-200611-24
(LHa: Multiple vulnerabilities)
Tavis Ormandy of the Google Security Team discovered several
vulnerabilities in the LZH decompression component used by LHa. The
make_table function of unlzh.c contains an array index error and a
buffer overflow vulnerability. The build_tree function of unpack.c
contains a buffer underflow vulnerability. Additionally, unlzh.c
contains a code that could run in an infinite loop.
Impact
By enticing a user to uncompress a specially crafted archive, a remote
attacker could cause a Denial of Service by CPU consumption or execute
arbitrary code with the rights of the user running the application.
Workaround
There is no known workaround at this time.
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4335
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4336
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4337
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4338
Solution:
All LHa users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-arch/lha-114i-r6"
Threat Level: Medium
Click HERE for more information and discussions on this network vulnerability scan.
|
