FreeBSD Ports: lha

The remote host is missing an update to the system as announced in the referenced advisory.

The following package is affected: lha CVE-2004-0694 ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2004-0745 LHA 1.14 and earlier allows attackers to execute arbitrary commands via a directory with shell metacharacters in its name. CVE-2004-0769 Buffer overflow in LHA allows remote attackers to execute arbitrary code via long pathnames in LHarc format 2 headers for a .LHZ archive, as originally demonstrated using the 'x' option but also exploitable through 'l' and 'v', and fixed in header.c, a different issue than CVE-2004-0771. CVE-2004-0771 Buffer overflow in the extract_one function from lhext.c in LHA may allow attackers to execute arbitrary code via a long w (working directory) command line option, a different issue than CVE-2004-0769. NOTE: this issue may be REJECTED if there are not any cases in which LHA is setuid or is otherwise used across security boundaries.

Update your system with the appropriate patches or software upgrades. http://bugs.gentoo.org/show_bug.cgi?id=51285 http://xforce.iss.net/xforce/xfdb/16196 http://marc.theaimsgroup.com/?l=bugtraq&m=108464470103227 http://marc.theaimsgroup.com/?l=bugtraq&m=108668791510153 http://www.vuxml.org/freebsd/273cc1a3-0d6b-11d9-8a8a-000c41e2cdad.html