Lrzsz has an integer overflow vulernability in the src/zm.c:zsdata() function. An attacker could exploit this with the sz command to cause a crash or potentially leak information to the receiving server. Additional References: https://bugzilla.novell.com/show_bug.cgi?id=1090051
Created lrzsz tracking bugs for this issue: Affects: fedora-all [bug 1572059]
Does this affect our packages? We have the following patch (added for bug #75473), which fixes the zsdata() function to handle a length of zero: https://src.fedoraproject.org/cgit/rpms/lrzsz.git/tree/lrzsz-0.12.20.patch The changelog of the SUSE package indicates it was fixed in the 0.12.21rc version, but that seems to be a different bug, which is related to zero-length files and mmap().
(In reply to Miroslav Lichvar from comment #3) > Does this affect our packages? > > We have the following patch (added for bug #75473), which fixes the zsdata() > function to handle a length of zero: > https://src.fedoraproject.org/cgit/rpms/lrzsz.git/tree/lrzsz-0.12.20.patch > > The changelog of the SUSE package indicates it was fixed in the 0.12.21rc > version, but that seems to be a different bug, which is related to > zero-length files and mmap(). I overlooked the patch, so I think you are correct and our packages are not affected. Happy for this bug and it's trackers to be closed as NOTABUG.
Statement: This issue did not affect the versions of lrzsz as shipped with Red Hat Enterprise Linux 5, 6, and 7. A patch was already applied for this vulnerability.