Opened 7 months ago

Closed 7 months ago

Last modified 7 months ago

#60341 closed update (fixed)

"LHa for UNIX": Outdated version with security vulnerabilities.

Reported by: xanadu3 Owned by: Kurt Hindenburg <kurt.hindenburg@…>
Priority: Normal Milestone:
Component: ports Version:
Keywords: Cc: kurthindenburg (Kurt Hindenburg)
Port: lha

Description

The latest version of "LHa for UNIX" by Koji Arai is 1.14i-ac20081023.7c3cd95 (5 Oct 2019) which is available from https://github.com/jca02266/lha.

Version 1.14i-ac20050924p1 – the one that can be obtained through MacPorts – is now 15 years old and has a couple of unpatched security vulnerabilities.

Please, update the port to version 1.14i-ac20081023.7c3cd95

Change History (11)

comment:1 Changed 7 months ago by mf2k (Frank Schima)

The Priority field is for use by Macports team members only, please do not set it.

comment:2 Changed 7 months ago by mf2k (Frank Schima)

Priority: HighNormal

comment:3 Changed 7 months ago by kurthindenburg (Kurt Hindenburg)

Cc: kurthindenburg added

I'd rather use the free replacement that Debian/Ubuntu uses https://fragglet.github.io/lhasa/

comment:4 Changed 7 months ago by xanadu3

Lhasa is unfortunately only a decompressor. For my purpose this is not enough. I use LHa also for compressing files. Maybe I'm not the only one.

Last edited 7 months ago by xanadu3 (previous) (diff)

comment:5 Changed 7 months ago by kurthindenburg (Kurt Hindenburg)

Ok that's fair; I have a working version but I don't know if the patch is still needed. It doesn't appear to have been added upstream. #12560

comment:6 Changed 7 months ago by xanadu3

I also couln't find the patch in Koji Arai's repository. Would you mind to propose it on his issue page? Else I would propose it.

comment:7 Changed 7 months ago by kurthindenburg (Kurt Hindenburg)

The INSTALL file has this; I wonder if that is the way they are handling this now.


This chain should run to completion with no failures. The only problem is that if you have files which have names with accented letters, LHa will store them correctly but mangle them when listing or extracting.

The easiest way around this is to reconfigure LHa to ignore the existence of multi-byte filenames:

$ ./configure --disable-multibyte-filename && make && make check

comment:8 Changed 7 months ago by xanadu3

I'd say that this is another bug. I guess the fix in the INSTALL file is meant to leave multibyte characters as they are, whereas your patch corrects wrong transformations between the Shift_JIS and UTF-8 encodings.

comment:9 Changed 7 months ago by kurthindenburg (Kurt Hindenburg)

I'll just leave our patch in - you can put in an issue for them if you want.

comment:10 Changed 7 months ago by Kurt Hindenburg <kurt.hindenburg@…>

Owner: set to Kurt Hindenburg <kurt.hindenburg@…>
Resolution: fixed
Status: newclosed

In 91181682d9827305f6ca58cfa0b40a5b012350d8/macports-ports (master):

lha: update to latest version

closes: #60341

comment:11 Changed 7 months ago by xanadu3

Great! Thank you very much!

Note: See TracTickets for help on using tickets.