#60341 closed update (fixed)
"LHa for UNIX": Outdated version with security vulnerabilities.
| Reported by: | xanadu3 | Owned by: | Kurt Hindenburg <kurt.hindenburg@…> |
|---|---|---|---|
| Priority: | Normal | Milestone: | |
| Component: | ports | Version: | |
| Keywords: | Cc: | kurthindenburg (Kurt Hindenburg) | |
| Port: | lha |
Description
The latest version of "LHa for UNIX" by Koji Arai is 1.14i-ac20081023.7c3cd95 (5 Oct 2019) which is available from https://github.com/jca02266/lha.
Version 1.14i-ac20050924p1 – the one that can be obtained through MacPorts – is now 15 years old and has a couple of unpatched security vulnerabilities.
Please, update the port to version 1.14i-ac20081023.7c3cd95
Change History (11)
comment:1 Changed 4 years ago by mf2k (Frank Schima)
comment:2 Changed 4 years ago by mf2k (Frank Schima)
| Priority: | High → Normal |
|---|
comment:3 Changed 4 years ago by kurthindenburg (Kurt Hindenburg)
| Cc: | kurthindenburg added |
|---|
I'd rather use the free replacement that Debian/Ubuntu uses https://fragglet.github.io/lhasa/
comment:4 Changed 4 years ago by xanadu3
Lhasa is unfortunately only a decompressor. For my purpose this is not enough. I use LHa also for compressing files. Maybe I'm not the only one.
comment:5 Changed 4 years ago by kurthindenburg (Kurt Hindenburg)
Ok that's fair; I have a working version but I don't know if the patch is still needed. It doesn't appear to have been added upstream. #12560
comment:6 Changed 4 years ago by xanadu3
I also couln't find the patch in Koji Arai's repository. Would you mind to propose it on his issue page? Else I would propose it.
comment:7 Changed 4 years ago by kurthindenburg (Kurt Hindenburg)
The INSTALL file has this; I wonder if that is the way they are handling this now.
This chain should run to completion with no failures. The only problem is that if you have files which have names with accented letters, LHa will store them correctly but mangle them when listing or extracting.
The easiest way around this is to reconfigure LHa to ignore the existence of multi-byte filenames:
$ ./configure --disable-multibyte-filename && make && make check
comment:8 Changed 4 years ago by xanadu3
I'd say that this is another bug. I guess the fix in the INSTALL file is meant to leave multibyte characters as they are, whereas your patch corrects wrong transformations between the Shift_JIS and UTF-8 encodings.
comment:9 Changed 4 years ago by kurthindenburg (Kurt Hindenburg)
I'll just leave our patch in - you can put in an issue for them if you want.
comment:10 Changed 4 years ago by Kurt Hindenburg <kurt.hindenburg@…>
| Owner: | set to Kurt Hindenburg <kurt.hindenburg@…> |
|---|---|
| Resolution: | → fixed |
| Status: | new → closed |
The Priority field is for use by Macports team members only, please do not set it.