Bug 1090051 - (CVE-2018-10195) VUL-0: CVE-2018-10195: rzsz: sz can leak data to receiving side
(CVE-2018-10195)
VUL-0: CVE-2018-10195: rzsz: sz can leak data to receiving side
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
x86-64 SLES 11
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
CVSSv3:SUSE:CVE-2018-10195:4.4:(AV:L/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-04-18 12:12 UTC by Johannes Segitz
Modified: 2018-09-10 14:02 UTC (History)
6 users (show)

See Also:
Found By: Customer
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2018-04-18 12:12:09 UTC
+++ This bug was initially created as a clone of Bug #1086416 +++

sz can segfault in zsdata():

Core was generated by `sz core.0.26368.1520276402.sz.11'.
Program terminated with signal 11, Segmentation fault.
#0  zsdata (buf=0x611120 "core.0.26368.1520276402.sz.11", length=0, frameend=104) at zm.c:435
435                     zsendline(*buf); crc = updcrc((0377 & *buf), crc);
(gdb) bt
#0  zsdata (buf=0x611120 "core.0.26368.1520276402.sz.11", length=0, frameend=104) at zm.c:435
#1  0x00000000004041d1 in zsendfdata (zi=0x7fff17356e90) at lsz.c:2143
#2  0x0000000000404fcc in zsendfile (blen=<optimized out>, buf=<optimized out>, zi=<optimized out>) at lsz.c:1889
#3  wctxpn (zi=0x7fff17356e90) at lsz.c:1260
#4  0x00000000004057a9 in wcs (oname=0x7fff1735859d "core.0.26368.1520276402.sz.11", remotename=0x7fff17355d50 "core.0.26368.1520276402.sz.11")
    at lsz.c:1132
#5  0x0000000000406311 in wcsend (argc=1, argp=<optimized out>) at lsz.c:925
#6  0x00000000004081ea in main (argc=389378616, argv=0x7fff17357210) at lsz.c:792
(gdb)

So zsdata(*buf, length, frameend) was called with length = 0. It does the following:

void
zsdata(const char *buf, size_t length, int frameend)
{
        // .. unsigned short crc = 0 .. printf() ..

        do {
                zsendline(*buf); crc = updcrc((0377 & *buf), crc);
                buf++;
        } while (--length>0);
[..]
}

length is of type size_t, i.e. unsigned int. Subtracting one from zero will wrap length to a positive value. So the loop will run until either length becomes 0 again or dereferencing the buf pointer triggers a segfault, whatever comes first (the latter, of course.)

Calling zsdata() with zero length is intentional, BTW. This is where it got called from:

  if (c != ZACK) {
    ZSDATA (txbuf, 0, ZCRCE);
    goto gotack;
  }

...and various other places.

This bug might leak information to the receiver before sz finally crashes, so it likely has security impact. The same build of the package is present up to SLES 11 SP4.
Comment 1 Johannes Segitz 2018-04-18 12:12:54 UTC
Requested a CVE for this. Please update the existing submits once I add it here.
Comment 2 Johannes Segitz 2018-04-18 14:06:18 UTC
This is CVE-2018-10195. Please resubmit with this reference. Thank you.
Comment 3 Tomáš Chvátal 2018-04-18 14:11:27 UTC
Resubmitted to sle11 and sle12 + TW changelog bump
Comment 5 Swamp Workflow Management 2018-04-18 14:50:09 UTC
This is an autogenerated message for OBS integration:
This bug (1090051) was mentioned in
https://build.opensuse.org/request/show/597805 Factory / rzsz
Comment 6 Swamp Workflow Management 2018-04-24 16:09:19 UTC
SUSE-SU-2018:1066-1: An update that solves one vulnerability and has two fixes is now available.

Category: security (moderate)
Bug References: 1076576,1086416,1090051
CVE References: CVE-2018-10195
Sources used:
SUSE Linux Enterprise Server 12-SP3 (src):    rzsz-0.12.21~rc-1001.3.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    rzsz-0.12.21~rc-1001.3.1
Comment 7 Swamp Workflow Management 2018-04-24 16:11:31 UTC
SUSE-SU-2018:1070-1: An update that solves one vulnerability and has three fixes is now available.

Category: security (moderate)
Bug References: 1076576,1086416,1090051,529899
CVE References: CVE-2018-10195
Sources used:
SUSE Linux Enterprise Server 11-SP4 (src):    rzsz-0.12.21~rc-936.3.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    rzsz-0.12.21~rc-936.3.1
Comment 9 Marcus Meissner 2018-09-10 14:02:42 UTC
done