Bug 1572058 (CVE-2018-10195)
|Summary:||CVE-2018-10195 lrzsz: Integer overflow in src/zm.c:zsdata() causes crash in sz and can leak information to receiver|
|Product:||[Other] Security Response||Reporter:||Sam Fowler <sfowler>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||CLOSED NOTABUG||QA Contact:|
|Fixed In Version:||Doc Type:||If docs needed, set a value|
|Doc Text:||Story Points:||---|
|Last Closed:||2018-04-27 09:34:09 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
|Bug Depends On:||1572059, 1572060|
Description Sam Fowler 2018-04-26 06:03:46 UTC
Lrzsz has an integer overflow vulernability in the src/zm.c:zsdata() function. An attacker could exploit this with the sz command to cause a crash or potentially leak information to the receiving server. Additional References: https://bugzilla.novell.com/show_bug.cgi?id=1090051
Comment 1 Sam Fowler 2018-04-26 06:04:08 UTC
Created lrzsz tracking bugs for this issue: Affects: fedora-all [bug 1572059]
Comment 3 Miroslav Lichvar 2018-04-26 13:56:17 UTC
Does this affect our packages? We have the following patch (added for bug #75473), which fixes the zsdata() function to handle a length of zero: https://src.fedoraproject.org/cgit/rpms/lrzsz.git/tree/lrzsz-0.12.20.patch The changelog of the SUSE package indicates it was fixed in the 0.12.21rc version, but that seems to be a different bug, which is related to zero-length files and mmap().
Comment 4 Sam Fowler 2018-04-27 05:38:53 UTC
(In reply to Miroslav Lichvar from comment #3) > Does this affect our packages? > > We have the following patch (added for bug #75473), which fixes the zsdata() > function to handle a length of zero: > https://src.fedoraproject.org/cgit/rpms/lrzsz.git/tree/lrzsz-0.12.20.patch > > The changelog of the SUSE package indicates it was fixed in the 0.12.21rc > version, but that seems to be a different bug, which is related to > zero-length files and mmap(). I overlooked the patch, so I think you are correct and our packages are not affected. Happy for this bug and it's trackers to be closed as NOTABUG.
Comment 5 Cedric Buissart 2018-04-27 09:34:18 UTC
Statement: This issue did not affect the versions of lrzsz as shipped with Red Hat Enterprise Linux 5, 6, and 7. A patch was already applied for this vulnerability.