29970 – lrzsz new security issue CVE-2018-10195

Bug 29970 - lrzsz new security issue CVE-2018-10195

Summary: lrzsz new security issue CVE-2018-10195

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	8
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA8-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2022-01-30 19:09 CET by David Walser
Modified:	2022-02-05 21:24 CET (History)
CC List:	5 users (show)

See Also:
Source RPM:	lrzsz-0.12.21-23.mga8.src.rpm
CVE:	CVE-2018-10195
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2022-01-30 19:09:53 CET

Debian-LTS has issued an advisory on January 25:
https://www.debian.org/lts/security/2022/dla-2900

It is fixed by this patch:
https://src.fedoraproject.org/rpms/lrzsz/raw/rawhide/f/lrzsz-0.12.20.patch

Mageia 8 is also affected.

David Walser 2022-01-30 19:10:06 CET

Status comment: (none) => Patch available from Fedora
Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2022-01-30 21:28:02 CET

This package is seldom touched, and has no evident associated packager; so assigning this bug globally.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2022-01-31 16:03:22 CET

Suggested advisory:
========================

The updated package fixes a security vulnerability:

lrzsz before version 0.12.21~rc can leak information to the receiving side due to an incorrect length check in the function zsdata that causes a size_t to wrap around. (CVE-2018-10195)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10195
https://www.debian.org/lts/security/2022/dla-2900
========================

Updated package in core/updates_testing:
========================
lrzsz-0.12.21-23.1.mga8

from SRPM:
lrzsz-0.12.21-23.1.mga8.src.rpm

Version: Cauldron => 8
Assignee: pkg-bugs => qa-bugs
CC: (none) => nicolas.salguero
Status comment: Patch available from Fedora => (none)
Status: NEW => ASSIGNED
Whiteboard: MGA8TOO => (none)
CVE: (none) => CVE-2018-10195

Comment 3 Herman Viaene 2022-02-01 11:42:17 CET

MGA8-64Plasma on Lenovo B50 in Dutch
No installation issues.
Serial connection ???? That's ages ago......
Found http://www.armadeus.org/wiki/index.php?title=Serial_Transfer
and that suggests one could use an USB connection between PC's to run this.
But frankly, is it worthwile to spend time to get this ting configured correctly???
I suggest OK on clean install, if TJ or ...... approves.

CC: (none) => herman.viaene

Comment 4 Thomas Andrews 2022-02-04 22:18:12 CET

From https://directory.fsf.org/wiki/Lrzsz

"lrzsz is a unix communication package providing the XMODEM, YMODEM ZMODEM file transfer protocols."

Wow. I don't think I've done anything with those since transferring files from our local user group bbs during my Atari 8-bit computer days 30 years ago. My two laptops both have serial ports, but I don't even know if they work - I've never tried to use them. A serial cable? Maybe, if I looked hard enough, but no device that I know of to connect to any more. Almost seems like I had a null-modem cable once, but if I did I have no idea where it is.

I think we're OK with a clean install. Validating. Advisory in Comment 2.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2022-02-05 19:20:16 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 5 Mageia Robot 2022-02-05 21:24:11 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0049.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.