Nasty Flaw found in Lhasa LZH/LHA decompression tool

[Daleb]

http://blog.talosintel.com/2016/03/vuln ... lhasa.html

Cisco's Talos team has found a vulnerability in the Lhasa LZH/LHA decompression tool and library, and it's a nasty one because it means the decompression process gives attackers the chance to put whatever code they want on your machine.

The problem is an integer underflow.

“The software verifies that header values are not too large, but does not check for a too small header length,

[Scooby]

OK

But what is required to be vulnerable?

I for one do not have the lhasa tool installed?

Is it common in most puppies?

[8Geee]

The following description comes from Cisco-Talos...

TALOS-2016-0095
Lhasa lha decode_level3_header Heap Corruption Vulnerability
March 31, 2016
Report ID

CVE-2016-2347
Summary

An exploitable integer underflow exists during calculation size for all headers in decode_level3_header function of Lhasa (lha) application.

Smaller value of header_len than LEVEL_3_HEADER_LEN ( 32 ) cause during subtraction integer underflow and lead later to memory corruption via heap based buffer overflow.

Full report is here.

[8Geee]

The XArchive utility in some puppies does not recognize the lha (LHASA) compression format. However, user with an IBM/Lenovo based PC/lappy MAY have it in windows as X-Force.

[Daleb]

OK

But what is required to be vulnerable?

I for one do not have the lhasa tool installed?

Is it common in most puppies?

Noga reckons the first thing bad guys would do with this flaw is put something horrid in a compressed file in the hope you open it and end up with something nasty on your machine. He's also worried that this could become an espionage tool, because the tool is used in roles where users never see it, like decompressing email attachments. If the flaw means code runs somewhere like an email server, it could read the contents of files and exfiltrate them and users who are ignorant of attachments being compressed to start with will never suspect anything is amiss.

I'm guessing by that line it's both Windows and Linux users???

[Atle]

Is what its about?

https://en.wikipedia.org/wiki/LHA_(file_format)

[Atle]

This all came out very wrong.... is this what its about?

https://en.wikipedia.org/wiki/LHA_(file_format)

[Atle]

Double sorry for a triple

[8Geee]

Yes, this is what its about. Common in Japan, and far-east, and used in DOS (upto WIN7 anyways). Generally limited to Windows OS, but we (puppy users) should check into WINE compatability. So 'possibly' WINE users 'may' be affected.

I personally don't use WINE, but realise the implication to non-USA users with M$ os's.

[Scooby]

OK

But what is required to be vulnerable?

I for one do not have the lhasa tool installed?

Is it common in most puppies?

Noga reckons the first thing bad guys would do with this flaw is put something horrid in a compressed file in the hope you open it and end up with something nasty on your machine. He's also worried that this could become an espionage tool, because the tool is used in roles where users never see it, like decompressing email attachments. If the flaw means code runs somewhere like an email server, it could read the contents of files and exfiltrate them and users who are ignorant of attachments being compressed to start with will never suspect anything is amiss.

I'm guessing by that line it's both Windows and Linux users???

Yeah it's also for linux users however my point is that it is not present
on my system and hence I'm not directly vulnerable

I recognize that I am indirectly vulnerable to as described by
your quote, as in a email-server, However I cannot do anything
about that on my comp. That is for the email-server admin to adress.

From the responses I gather that lha tool is not common on puppies
so we cannot do much to address it, right?

[Daleb]

Sorry Dude but all i know is what the News article says and i don't fully understand it myself.

It turned up on Google news search and some of the user comments were going loopy about it so i thought i would post it on here.

[Scooby]

Sorry Dude but all i know is what the News article says and i don't fully understand it myself.

It turned up on Google news search and some of the user comments were going loopy about it so i thought i would post it on here.

Yep an I appreciate that, keep it coming.

But in my opinion it is important to discern the real level of threat

[rufwoof]

I run DebianDog Jessie (Openbox) http://murga-linux.com/puppy/viewtopic. ... 903#847903 and hadn't run a update for a week or two. After just running it looks like quite a few updates have occurred recently, some of which might be fixes for the lzh/lha ???

That's one of the main reasons I like DD - Debian seem to keep right on top of fixes and also stick to stable versions of programs.

Toni and Fred do a great job of puppy'fying Debian (I frugal boot (Porteus style)). Best of both worlds

[Daleb]

But in my opinion it is important to discern the real level of threat

I've not seen it mentioned on the main News sites like Heartbleed.

I wonder if the term in the article "espionage tool" means it refers to internal mail systems used by large company's rather than global email servers like Gmail.

But i'm just guessing.........

That's one of the main reasons I like DD - Debian seem to keep right on top of fixes and also stick to stable versions of programs

It seems the days of not bothering to update or patch Linux are well and truly over..........