Bug 153183 - ZRPOS file position not validated; segfaults possible
Summary: ZRPOS file position not validated; segfaults possible
Alias: None
Product: Fedora Legacy
Classification: Retired
Component: lrzsz
Version: fc2
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Fedora Legacy Bugs
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2005-04-02 06:13 UTC by Joe Krahn
Modified: 2007-04-18 17:22 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2007-04-10 19:11:57 UTC

Attachments (Terms of Use)

Description Joe Krahn 2005-04-02 06:13:17 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050317 Firefox/1.0.2

Description of problem:
When sending a file with lsz, the receiver can send a ZRPOS command, repositioing the file pointer. This is not checked for being in-bounds. Because it uses mmap, this allows the pointer to be positioned out-of-bounds, and causes a segfault.

Look at getinsync() in lsz.c.

This is probably a security issue, because the receiver could use it to access memory outside of the file bounds. It seems not to be a problem on receiving, so I don't think a client can get rz/sz to execute code. So, it's certainly a minimal security risk.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Set up a ZMODEM receiver to send invalid ZRPOS packets.
2. Run lsz.

Actual Results:  Segfault.

Additional info:

I found this bug while trying to upload firmware to a device with a buggy zmodem implementation that sends decimal instead of hex file position data. So, I don't have a simple way to reproduce the bug.

Comment 1 Matthew Miller 2005-04-11 22:20:45 UTC
[Bulk move of FC2 bugs to Fedora Legacy. See

Comment 2 Matthew Miller 2007-04-10 19:11:57 UTC
Fedora Core 2 is now completely unmaintained. These bugs can't be fixed in that
version. If the issue still persists in current Fedora Core, please reopen.
Thank you, and sorry about this.

Note You need to log in before you can comment on or make changes to this bug.