Bug 153183 - ZRPOS file position not validated; segfaults possible
ZRPOS file position not validated; segfaults possible
Status: CLOSED CANTFIX
Product: Fedora Legacy
Classification: Retired
Component: lrzsz (Show other bugs)
fc2
All Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-04-02 01:13 EST by Joe Krahn
Modified: 2007-04-18 13:22 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-04-10 15:11:57 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Joe Krahn 2005-04-02 01:13:17 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050317 Firefox/1.0.2

Description of problem:
When sending a file with lsz, the receiver can send a ZRPOS command, repositioing the file pointer. This is not checked for being in-bounds. Because it uses mmap, this allows the pointer to be positioned out-of-bounds, and causes a segfault.

Look at getinsync() in lsz.c.

This is probably a security issue, because the receiver could use it to access memory outside of the file bounds. It seems not to be a problem on receiving, so I don't think a client can get rz/sz to execute code. So, it's certainly a minimal security risk.

Version-Release number of selected component (if applicable):
lrzsz-0.12.20-18

How reproducible:
Always

Steps to Reproduce:
1. Set up a ZMODEM receiver to send invalid ZRPOS packets.
2. Run lsz.
3.
  

Actual Results:  Segfault.

Additional info:

I found this bug while trying to upload firmware to a device with a buggy zmodem implementation that sends decimal instead of hex file position data. So, I don't have a simple way to reproduce the bug.
Comment 1 Matthew Miller 2005-04-11 18:20:45 EDT
[Bulk move of FC2 bugs to Fedora Legacy. See
<http://www.redhat.com/archives/fedora-announce-list/2005-April/msg00020.html>.]
Comment 2 Matthew Miller 2007-04-10 15:11:57 EDT
Fedora Core 2 is now completely unmaintained. These bugs can't be fixed in that
version. If the issue still persists in current Fedora Core, please reopen.
Thank you, and sorry about this.

Note You need to log in before you can comment on or make changes to this bug.