<!-- SBZ_reproduce  -->
-

Gentoo bug: Already applied.

Exploit of Lukasz Wojtow: Segfaults.

Debian: Patch has no rejects (it creates changed files in directory debian):
patching file man/lha.man
patching file debian/README.Debian
patching file debian/header.c
patching file debian/changelog
patching file debian/control
patching file debian/lha.1
patching file debian/lhext.c
patching file debian/lha.h
patching file debian/rules
patching file debian/dirs
patching file debian/copyright
patching file debian/docs
patching file debian/patch.paul
patching file debian/patch.CAN-2004-0234_0235

patch.CAN-2004-0234_0235: Already applied.
patch.paul: Not applied, only include change.

Changed files in directory debian differences in comparison with SuSE Linux STABLE:

sbrabec@unicorn:~/STABLE/lha/BUILD/lha-114i/debian> diff src/header.c
debian/header.c
541,544d540
<                               if (header_size >= 256) {
<                                 fprintf(stderr, "Possible buffer overflow hack
attack, type #1\n");
<                                 exit(109);
<                               }
554,557d549
<                               if (header_size >= FILENAME_LENGTH) {
<                                 fprintf(stderr, "Possible buffer overflow hack
attack, type #2\n");
<                                 exit(110);
<                               }
sbrabec@unicorn:~/STABLE/lha/BUILD/lha-114i/debian> diff src/lhext.c debian/lhext.c
193,197d192
<               if (is_directory_traversal(q)) {
<                 fprintf(stderr, "Possible directory traversal hack attempt in
%s\n", q);
<                 exit(111);
<               }
<
199c194
<                       while (*q == '/') { q++; }
---
>                       q++;
215,219c210,212
<               snprintf(name, sizeof(name), "%s/%s", extract_directory, q);
<       else {
<               strncpy(name, q, sizeof(name));
<               name[sizeof(name) - 1] = '\0';
<       }
---
>               sprintf(name, "%s/%s", extract_directory, q);
>       else
>               strcpy(name, q);
429,455d421
< int
< is_directory_traversal(char *string)
< {
<   unsigned int type = 0; /* 0 = new, 1 = only dots, 2 = other chars than dots */
<   char *temp;
<
<   temp = string;
<
<   while (*temp != 0) {
<     if (temp[0] == '/') {
<       if (type == 1) { return 1; }
<       type = 0;
<       temp++;
<       continue;
<     }
<
<     if ((temp[0] == '.') && (type < 2))
<       type = 1;
<     if (temp[0] != '.')
<       type = 2;
<
<     temp++;
<   } /* while */
<
<   return (type == 1);
< }
<

This probably means that we are still vulnerable... 
 
So please apply this patch. 
 
The exploit must not segfault afterwards. 

Which patch? I don't see any patch to be applied.

Upper mentioned difference is CAN-2004-0234_0235. After applying it to debian/,
only following remains and it seems, that our code has an extra check and debian
has only extra make_parent_path().

--- src/lhext.c      2004-07-16 14:50:06.867616009 +0200
+++ debian/lhext.c     2004-07-16 14:50:43.413669943 +0200
@@ -212,11 +212,9 @@
        }
  
        if (extract_directory)
-               snprintf(name, sizeof(name), "%s/%s", extract_directory, q);
-       else {
-               strncpy(name, q, sizeof(name));
-               name[sizeof(name) - 1] = '\0';
-       }
+               sprintf(name, "%s/%s", extract_directory, q);
+       else
+               strcpy(name, q);
  
  
        /* LZHDIRS_METHOD�����ĥإå��������å����� */
@@ -358,6 +356,7 @@
                                }
  
                                unlink(bb1);
+                               make_parent_path(bb1);
                                l_code = symlink(bb2, bb1);
                                if (l_code < 0) {
                                        if (quiet != TRUE)

Yes debian is missing the check: 
--- lhext.c.old 2000-10-04 16:57:38.000000000 +0200 
+++ lhext.c     2004-05-16 00:27:22.000000000 +0200 
@@ -207,9 +207,11 @@ 
        } 
 
        if (extract_directory) 
-               sprintf(name, "%s/%s", extract_directory, q); 
-       else 
-               strcpy(name, q); 
+               snprintf(name, sizeof(name), "%s/%s", extract_directory, q); 
+       else { 
+               strncpy(name, q, sizeof(name)); 
+               name[sizeof(name) - 1] = '\0'; 
+       } 
 
We got hits fix and Stanislav if I understand you correctly (network at 
Nuermberg is hanging otherwise I can have looked it up on my own) patch 
CAN-2004-0234_0235 is in our lha package too. 
 
Stanislav, 
if this is right please close this bug. 
Thanks. 

I have looked at your links and there is summary:

We have all patches from Debian (except one line) and Gentoo links.

But test archive still causes segfault (see #2). Even with the only additional
line, which has Debian (see #4).

can you run gdb on lha while it opens the test archive please. 
it looks like there are just more sprintfs and strcpys are aroound. 

Created attachment 22305 [details]
lha_gdb.log.bz2

No backtrace is possible, attaching trace log. Line numbers are valid for
current STABLE, Debian extra line not used.

(gdb) bt
#0  0x40065b55 in __vstrfmon_l () from /lib/libc.so.6
Cannot access memory at address 0x41414145

Looks like this code needs an audit... 

Created attachment 22323 [details]
lha-security-code-review.diff

this patch seems to fix the bug but i am not sure if it breaks something. ;)

thomas@Spiral:/tmp/lha> !per
perl expl.pl > ar.lhz
thomas@Spiral:/tmp/lha> lha -e ar.lhz
thomas@Spiral:/tmp/lha>

Created attachment 22324 [details]
lha.strc

strace dump

Stanislav, 
I'll attach the patchinfo files ASAP. 
Can you prepare the updates please. 

Created attachment 22365 [details]
patchinfo-box.lha

Created attachment 22366 [details]
patchinfo.lha

Which updates? I have no new patch except lower mentioned. And lower mentioned
change does not fix segfault on exploit archive.

--- src/lhext.c      2004-07-16 14:50:06.867616009 +0200
+++ debian/lhext.c     2004-07-16 14:50:43.413669943 +0200
@@ -358,6 +356,7 @@
                                }
  
                                unlink(bb1);
+                               make_parent_path(bb1);
                                l_code = symlink(bb2, bb1);
                                if (l_code < 0) {
                                        if (quiet != TRUE)

Created attachment 22367 [details]
archive.lhz

Try "lha -e archive.lhz" to check possible patch. Patch from #15 does not fix
this crash and it seems that we doesn't have any else patches.

Archive comes from Lukasz Wojtow <lw@wszia.edu.pl>.
http://lw.ftw.zamosc.pl/lha-exploit.txt

comment #10 

Sorry. And Debian diff #15 is needed/useful?

i am not sure about the usefulness of the added make_parent_path(bb1). 
 
my patch is based on a patched 9.1 lha version, without the make_parent_path() 
and it seems to work. 

Submitted patch from comment #10 for 8.0-all 8.2-all 9.0-all sles7 sles7-ppc
sles9-all stable-all ul1-all.

PLease also submit the patchinfos...

I did it to speed the process up. 
 
To      : suse-dist@suse.de 
Cc      : 
Attchmnt: 
Subject : patchinfos for lha submitted. 
----- Message Text ----- 
hi, 
the patchinfos for bug 58081 can be found at: 
/work/src/done/PATCHINFO/patchinfo-box.lha 
/work/src/done/PATCHINFO/patchinfo.lha 
 
Bye, 
     Thomas 
-- 
 Thomas Biege <thomas@suse.de>, SUSE LINUX AG, Security Support & Auditing 
-- 
               Machines should work. People should think. 
                         -- Richard W. Hamming 

(Btw, the rmdir patch is actually not needed as we have ftruncate...)

Good news. We should keep it for the sake of completeness. 

CRD: 11th Aug. 16:00 MEST 

nooen cared about a coordinated release. therefore i approved them now. :) 

CVE-2004-0771

CVE-2004-0771: CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)