CVE-2016-1925 Lha For Unix Project CVE debrief

Who should care

Operators and maintainers of systems that unpack or inspect LHA archives, including desktop tools, server-side file ingestion pipelines, antivirus or content-scanning services, and Linux distributions shipping lha.

Technical summary

NVD describes the issue as an integer underflow in header.c in lha. A large header size value for the level0 or level1 header can trigger the underflow and then a buffer overflow. NVD maps the weakness to CWE-191 and rates the issue CVSS 3.0 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating a remotely reachable flaw with no privileges or user interaction required.

Defensive priority

High. Any environment that accepts untrusted LHA archives should prioritize patching or compensating controls because the published CVSS score is critical and the parsing flaw affects archive-handling code.

Recommended defensive actions

• Update lha to a fixed release if one is available from your distribution or upstream package source.
• If you cannot patch immediately, restrict or disable processing of untrusted LHA archives in exposed services and ingestion workflows.
• Review any applications, scanners, or automation that automatically open LHA files, including server-side upload handlers.
• Prefer sandboxing and least-privilege isolation for archive extraction jobs.
• Track distro or vendor advisories, including Gentoo GLSA-202007-42, for packaged remediation guidance.

Evidence notes

The CVE description and NVD record state that a large header size value for the level0 or level1 header in an lha archive can trigger an integer underflow in header.c and then a buffer overflow. NVD lists CWE-191 and a CVSS v3.0 vector of AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The official references include two oss-security mailing list posts from 2016-01-18 and a Gentoo security advisory (GLSA-202007-42).

Official resources