Bug 29970 - lrzsz new security issue CVE-2018-10195
Summary: lrzsz new security issue CVE-2018-10195
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Reported: 2022-01-30 19:09 CET by David Walser
Modified: 2022-02-05 21:24 CET (History)
5 users (show)

See Also:
Source RPM: lrzsz-0.12.21-23.mga8.src.rpm
CVE: CVE-2018-10195
Status comment:


Description David Walser 2022-01-30 19:09:53 CET
Debian-LTS has issued an advisory on January 25:

It is fixed by this patch:

Mageia 8 is also affected.
David Walser 2022-01-30 19:10:06 CET

Status comment: (none) => Patch available from Fedora
Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2022-01-30 21:28:02 CET
This package is seldom touched, and has no evident associated packager; so assigning this bug globally.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2022-01-31 16:03:22 CET
Suggested advisory:

The updated package fixes a security vulnerability:

lrzsz before version 0.12.21~rc can leak information to the receiving side due to an incorrect length check in the function zsdata that causes a size_t to wrap around. (CVE-2018-10195)


Updated package in core/updates_testing:

from SRPM:

Version: Cauldron => 8
Assignee: pkg-bugs => qa-bugs
CC: (none) => nicolas.salguero
Status comment: Patch available from Fedora => (none)
Whiteboard: MGA8TOO => (none)
CVE: (none) => CVE-2018-10195

Comment 3 Herman Viaene 2022-02-01 11:42:17 CET
MGA8-64Plasma on Lenovo B50 in Dutch
No installation issues.
Serial connection ???? That's ages ago......
Found http://www.armadeus.org/wiki/index.php?title=Serial_Transfer
and that suggests one could use an USB connection between PC's to run this.
But frankly, is it worthwile to spend time to get this ting configured correctly???
I suggest OK on clean install, if TJ or ...... approves.

CC: (none) => herman.viaene

Comment 4 Thomas Andrews 2022-02-04 22:18:12 CET
From https://directory.fsf.org/wiki/Lrzsz

"lrzsz is a unix communication package providing the XMODEM, YMODEM ZMODEM file transfer protocols."

Wow. I don't think I've done anything with those since transferring files from our local user group bbs during my Atari 8-bit computer days 30 years ago. My two laptops both have serial ports, but I don't even know if they work - I've never tried to use them. A serial cable? Maybe, if I looked hard enough, but no device that I know of to connect to any more. Almost seems like I had a null-modem cable once, but if I did I have no idea where it is.

I think we're OK with a clean install. Validating. Advisory in Comment 2.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2022-02-05 19:20:16 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 5 Mageia Robot 2022-02-05 21:24:11 CET
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.