Red Hat Bugzilla – Bug 153183
ZRPOS file position not validated; segfaults possible
Last modified: 2007-04-18 13:22:37 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050317 Firefox/1.0.2
Description of problem:
When sending a file with lsz, the receiver can send a ZRPOS command, repositioing the file pointer. This is not checked for being in-bounds. Because it uses mmap, this allows the pointer to be positioned out-of-bounds, and causes a segfault.
Look at getinsync() in lsz.c.
This is probably a security issue, because the receiver could use it to access memory outside of the file bounds. It seems not to be a problem on receiving, so I don't think a client can get rz/sz to execute code. So, it's certainly a minimal security risk.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Set up a ZMODEM receiver to send invalid ZRPOS packets.
2. Run lsz.
Actual Results: Segfault.
I found this bug while trying to upload firmware to a device with a buggy zmodem implementation that sends decimal instead of hex file position data. So, I don't have a simple way to reproduce the bug.
[Bulk move of FC2 bugs to Fedora Legacy. See
Fedora Core 2 is now completely unmaintained. These bugs can't be fixed in that
version. If the issue still persists in current Fedora Core, please reopen.
Thank you, and sorry about this.