Arch Linux: ASA-201604-8 High Severity: Lhasa Arbitrary Code Execution

Arch Linux Security Advisory ASA-201604-8
========================================
Severity: High
Date    : 2016-04-14
CVE-ID  : CVE-2016-2347
Package : lhasa
Type    : arbitrary code execution
Remote  : Yes
Link    : https://wiki.archlinux.org/title/CVE

Summary
======
The package lhasa before version 0.3.1-1 is vulnerable to arbitrary code
execution.

Resolution
=========
Upgrade to 0.3.1-1.

# pacman -Syu "lhasa>=0.3.1-1"

The problems has been fixed upstream in version 0.3.1

Workaround
=========
None.

Description
==========
An exploitable integer underflow exists during calculation size for all
headers in decode_level3_header function of Lhasa (lha) application.

Smaller value of header_len than LEVEL_3_HEADER_LEN ( 32 ) cause during
subtraction integer underflow and lead later to memory corruption via
heap based buffer overflow.

Impact
=====
A remote attacker is able to create a specially crafted LHA archive that
results in a heap based buffer overflow leading to arbitrary code execution.

References
=========
https://talosintelligence.com/vulnerability_reports/TALOS-2016-0095/
https://www.cve.org/CVERecord?id=CVE-2016-2347