[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1084661855.40a6a05ff3aac@webmail.uu.se>
Date: Sun, 16 May 2004 00:57:35 +0200
From: Ulf Härnhammar <Ulf.Harnhammar.9485@...dent.uu.se>
To: bugtraq@...urityfocus.com
Cc: full-disclosure@...ts.netsys.com
Subject: Re: lha buffer overflow(s) again
> it seems that lha is quite poorly written. after your last advisory, i
> decided to take a look at the code and found 2 BO in function extract_one
> (file lhext.c):
> if (extract_directory)
> sprintf(name, "%s/%s", extract_directory, q);
> else
> strcpy(name, q);
The first case (when the if clause evaluates to true) is a buffer
overflow, but it only occurs when lha is called with long command
line parameters:
lha xw=[about 390-400 characters] some_lharc_archive.lha
(It also works with other commands than x.)
Since q has a size of 256, and name has a size of 257, the second
case is not really a problem.
I have attached a patch against the upstream version 1.14i that
corrects this.
// Ulf Harnhammar
looking for a summer vacation job
http://www.advogato.org/person/metaur/
Download attachment "lha.obscure_buf_oflow.patch" of type "application/octet-stream" (427 bytes)
Powered by blists - more mailing lists