.LHA? That brings back some memories. Ah, Aminet.
People still use it in enough numbers for this to be a problem?
Cisco's Talos team has found a vulnerability in the Lhasa LZH/LHA decompression tool and library, and it's a nasty one because it means the decompression process gives attackers the chance to put whatever code they want on your machine. The problem is an integer underflow. “The software verifies that header values are not too …
> People still use it in enough numbers for this to be a problem?
I don't think end users owning archives is the problem here ... although depending on the payload I suppose it might also be. lhasa isn't on the machine I take on my commute for example, but critically its associated library *might* be on a server which deals with spam filtering/analysis of email attachments.
[Background: 'lhasa' has been the recommended extractor in Debian for some time, and while Ubuntu also offers 'lha' it's long in the tooth (on that front, there's also a sourceforge.jp version that I last chased up around 2005) and you might not need the latter unless you specifically want to create archives]