Bug 1572058 (CVE-2018-10195)

Summary: CVE-2018-10195 lrzsz: Integer overflow in src/zm.c:zsdata() causes crash in sz and can leak information to receiver
Product: [Other] Security Response Reporter: Sam Fowler <sfowler>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: mlichvar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-04-27 09:34:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1572059, 1572060    
Bug Blocks: 1572061    

Description Sam Fowler 2018-04-26 06:03:46 UTC 
Lrzsz has an integer overflow vulernability in the src/zm.c:zsdata() function. An attacker could exploit this with the sz command to cause a crash or potentially leak information to the receiving server.


Additional References:

https://bugzilla.novell.com/show_bug.cgi?id=1090051
Comment 1 Sam Fowler 2018-04-26 06:04:08 UTC 
Created lrzsz tracking bugs for this issue:

Affects: fedora-all [bug 1572059]
Comment 3 Miroslav Lichvar 2018-04-26 13:56:17 UTC 
Does this affect our packages?

We have the following patch (added for bug #75473), which fixes the zsdata() function to handle a length of zero:
https://src.fedoraproject.org/cgit/rpms/lrzsz.git/tree/lrzsz-0.12.20.patch

The changelog of the SUSE package indicates it was fixed in the 0.12.21rc version, but that seems to be a different bug, which is related to zero-length files and mmap().
Comment 4 Sam Fowler 2018-04-27 05:38:53 UTC 
(In reply to Miroslav Lichvar from comment #3)
> Does this affect our packages?
> 
> We have the following patch (added for bug #75473), which fixes the zsdata()
> function to handle a length of zero:
> https://src.fedoraproject.org/cgit/rpms/lrzsz.git/tree/lrzsz-0.12.20.patch
> 
> The changelog of the SUSE package indicates it was fixed in the 0.12.21rc
> version, but that seems to be a different bug, which is related to
> zero-length files and mmap().

I overlooked the patch, so I think you are correct and our packages are not affected. Happy for this bug and it's trackers to be closed as NOTABUG.
Comment 5 Cedric Buissart 2018-04-27 09:34:18 UTC 
Statement:

This issue did not affect the versions of lrzsz as shipped with Red Hat Enterprise Linux 5, 6, and 7. A patch was already applied for this vulnerability.