CVE-2016-2347

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2016-2347
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-2347.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2016-2347
Downstream
Related
Published
2017-04-21T20:59:00.557Z
Modified
2026-04-11T03:43:42.710188Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

Integer underflow in the decodelevel3header function in lib/lhafileheader.c in Lhasa before 0.3.1 allows remote attackers to execute arbitrary code via a crafted archive.

References

Affected packages

Git / github.com/fragglet/lhasa

Affected ranges

Type
GIT
Repo
https://github.com/fragglet/lhasa
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
2a6cc7f93cd97521bc46ca8ee286ce1d83feb185
Fixed
6fcdb8f1f538b9d63e63a5fa199c5514a15d4564
Fixed
c6d6ca6df218a54c94443f8d15afe2869461506f
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "0.3.0"
        }
    ]
}

Affected versions

v0.*
v0.0.1
v0.0.2
v0.0.3
v0.0.4
v0.0.5
v0.0.6
v0.0.7
v0.1.0
v0.2.0
v0.3.0

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-2347.json"
vanir_signatures 
[
    {
        "digest": {
            "length": 450.0,
            "function_hash": "205213664740166912401818331102733821536"
        },
        "id": "CVE-2016-2347-127c86b4",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Function",
        "source": "https://github.com/fragglet/lhasa/commit/6fcdb8f1f538b9d63e63a5fa199c5514a15d4564",
        "target": {
            "function": "extend_raw_data",
            "file": "lib/lha_file_header.c"
        }
    },
    {
        "digest": {
            "length": 919.0,
            "function_hash": "243803080807595711965693796938017383515"
        },
        "id": "CVE-2016-2347-2951ef9d",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Function",
        "source": "https://github.com/fragglet/lhasa/commit/6fcdb8f1f538b9d63e63a5fa199c5514a15d4564",
        "target": {
            "function": "decode_level3_header",
            "file": "lib/lha_file_header.c"
        }
    },
    {
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "81857088144805919651521459705044896562",
                "90865436915124334063461346229748683849",
                "168603969358282847260008075131334827623",
                "101587154781056942032226788173318447276",
                "164140291529182583489359734877066170927",
                "271716932972871301892963359679777099513",
                "72133410738862859589332295645323222629"
            ]
        },
        "id": "CVE-2016-2347-9e27d471",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Line",
        "source": "https://github.com/fragglet/lhasa/commit/6fcdb8f1f538b9d63e63a5fa199c5514a15d4564",
        "target": {
            "file": "lib/lha_file_header.c"
        }
    }
]
vanir_signatures_modified 
"2026-04-11T03:43:42Z"
unresolved_ranges 
[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "42.1"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "13.2"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "7.0"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "8.0"
            }
        ]
    }
]