BugTraq
Back to list
|
Post reply
lha buffer overflow(s) again
May 15 2004 11:09AM
lw wszia edu pl
i posted it yesterday to bugs (at) redhat (dot) com [email concealed] but mailbox is disabled for that recipient :-/
Date: Sat, 15 May 2004 00:24:09 +0200 (CEST)
From: Lukasz Wojtow <gnz (at) student.wszia.edu (dot) pl [email concealed]>
To: bugs (at) redhat (dot) com [email concealed]
Subject: LHA buffer overflow (not the last one already fixed)
it seems that lha is quite poorly written. after your last advisory, i
decided to take a look at the code and found 2 BO in function extract_one
(file lhext.c):
if (extract_directory)
sprintf(name, "%s/%s", extract_directory, q);
else
strcpy(name, q);
i bet there is more...
Regards
Lukasz Wojtow
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
i posted it yesterday to bugs (at) redhat (dot) com [email concealed] but mailbox is disabled for that recipient :-/
Date: Sat, 15 May 2004 00:24:09 +0200 (CEST)
From: Lukasz Wojtow <gnz (at) student.wszia.edu (dot) pl [email concealed]>
To: bugs (at) redhat (dot) com [email concealed]
Subject: LHA buffer overflow (not the last one already fixed)
it seems that lha is quite poorly written. after your last advisory, i
decided to take a look at the code and found 2 BO in function extract_one
(file lhext.c):
if (extract_directory)
sprintf(name, "%s/%s", extract_directory, q);
else
strcpy(name, q);
i bet there is more...
Regards
Lukasz Wojtow
[ reply ]