Red Hat Bugzilla – Bug 153183
ZRPOS file position not validated; segfaults possible
Last modified: 2007-04-18 13:22:37 EDT
From Bugzilla Helper: User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050317 Firefox/1.0.2 Description of problem: When sending a file with lsz, the receiver can send a ZRPOS command, repositioing the file pointer. This is not checked for being in-bounds. Because it uses mmap, this allows the pointer to be positioned out-of-bounds, and causes a segfault. Look at getinsync() in lsz.c. This is probably a security issue, because the receiver could use it to access memory outside of the file bounds. It seems not to be a problem on receiving, so I don't think a client can get rz/sz to execute code. So, it's certainly a minimal security risk. Version-Release number of selected component (if applicable): lrzsz-0.12.20-18 How reproducible: Always Steps to Reproduce: 1. Set up a ZMODEM receiver to send invalid ZRPOS packets. 2. Run lsz. 3. Actual Results: Segfault. Additional info: I found this bug while trying to upload firmware to a device with a buggy zmodem implementation that sends decimal instead of hex file position data. So, I don't have a simple way to reproduce the bug.
[Bulk move of FC2 bugs to Fedora Legacy. See <http://www.redhat.com/archives/fedora-announce-list/2005-April/msg00020.html>.]
Fedora Core 2 is now completely unmaintained. These bugs can't be fixed in that version. If the issue still persists in current Fedora Core, please reopen. Thank you, and sorry about this.