LHA buffer overflow in various applications

[Richard, Matt]

<x-html>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2657.73">
<TITLE>LHA buffer overflow in various applications</TITLE>
</HEAD>
<BODY>

<P><FONT SIZE=2 FACE="Courier New">I thought that this information may be of use to the list since most of the AV scanners and zip functions could be impacted.</FONT></P>

<P><FONT SIZE=2 FACE="Courier New">1. LHA Multiple Vulnerabilities - Sept 2, 2004</FONT>
</P>

<P><FONT SIZE=2 FACE="Courier New">Details:</FONT>
</P>

<P><FONT SIZE=2 FACE="Courier New">LHA is an archiving and compression utility for LHarc format archives.</FONT>
</P>

<P><FONT SIZE=2 FACE="Courier New">Lukasz Wojtow discovered a stack-based buffer overflow in all versions</FONT>
<BR><FONT SIZE=2 FACE="Courier New">of lha up to and including version 1.14. A carefully created archive</FONT>
<BR><FONT SIZE=2 FACE="Courier New">could allow an attacker to execute arbitrary code when a victim extracts</FONT>
<BR><FONT SIZE=2 FACE="Courier New">or tests the archive. The Common Vulnerabilities and Exposures project</FONT>
<BR><FONT SIZE=2 FACE="Courier New">(cve.mitre.org) has assigned the name CAN-2004-0769 to this issue.</FONT>
</P>

<P><FONT SIZE=2 FACE="Courier New">Buffer overflows were discovered in the command line processing of all</FONT>
<BR><FONT SIZE=2 FACE="Courier New">versions of lha up to and including version 1.14. If a malicious user</FONT>
<BR><FONT SIZE=2 FACE="Courier New">could trick a victim into passing a specially crafted command line to</FONT>
<BR><FONT SIZE=2 FACE="Courier New">the lha command, it is possible that arbitrary code could be executed.</FONT>
<BR><FONT SIZE=2 FACE="Courier New">The Common Vulnerabilities and Exposures project (cve.mitre.org) has</FONT>
<BR><FONT SIZE=2 FACE="Courier New">assigned the names CAN-2004-0771 and CAN-2004-0694 to these issues.</FONT>
</P>

<P><FONT SIZE=2 FACE="Courier New">Thomas Biege discovered a shell meta character command execution</FONT>
<BR><FONT SIZE=2 FACE="Courier New">vulnerability in all versions of lha up to and including 1.14. An</FONT>
<BR><FONT SIZE=2 FACE="Courier New">attacker could create a directory with shell meta characters in its name</FONT>
<BR><FONT SIZE=2 FACE="Courier New">which could lead to arbitrary command execution. The Common</FONT>
<BR><FONT SIZE=2 FACE="Courier New">Vulnerabilities and Exposures project (cve.mitre.org) has assigned the</FONT>
<BR><FONT SIZE=2 FACE="Courier New">name CAN-2004-0745 to this issue.</FONT>
</P>
<BR>

</BODY>
<br>--<br>
<p>*** This message originates from COCC, Inc.<br>
<br>
If the reader of this message, regardless of the address or routing, 
is not an intended recipient, you are hereby notified that you have 
received this transmittal in error and any review; use, distribution, 
dissemination or copying is strictly prohibited.  If you have received 
this message in error, please delete this e-mail and all files 
transmitted with it from your system and immediately notify COCC, Inc. 
by sending reply e-mail to the sender of this message. <br>
<br>
Thank you. ***</p>
</HTML>
------------------------ MailScanner list ------------------------
To unsubscribe, email <a href="jiscmail at jiscmail.ac.uk">jiscmail at jiscmail.ac.uk</a>
with the words:<br>
'leave mailscanner' in the body of the email.<br>
Before posting, read the MAQ (<a href="http://www.mailscanner.biz/maq/">http://www.mailscanner.biz/maq/</a>)<br>and
the archives (<a href="http://www.jiscmail.ac.uk/lists/mailscanner.html">http://www.jiscmail.ac.uk/lists/mailscanner.html</a>).
</x-html>