Debian Bug report logs -
#897010
lrzsz: CVE-2018-10195: rzsz: sz can leak data to receiving side
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 27 Apr 2018 04:21:02 UTC
Severity: grave
Tags: security, upstream
Found in version lrzsz/0.12.21-5
Fixed in version lrzsz/0.12.21-10
Done: godisch@debian.org (Martin A. Godisch)
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Martin A. Godisch <godisch@debian.org>:
Bug#897010; Package src:lrzsz.
(Fri, 27 Apr 2018 04:21:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Martin A. Godisch <godisch@debian.org>.
(Fri, 27 Apr 2018 04:21:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: lrzsz
Version: 0.12.21-5
Severity: important
Tags: security upstream
Hi,
The following vulnerability was published for lrzsz.
CVE-2018-10195[0]:
rzsz: sz can leak data to receiving side
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-10195
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10195
[1] https://bugzilla.novell.com/show_bug.cgi?id=1090051
[2] https://src.fedoraproject.org/cgit/rpms/lrzsz.git/tree/lrzsz-0.12.20.patch
[3] https://bugzilla.redhat.com/show_bug.cgi?id=1572058
Regards,
Salvatore
Severity set to 'grave' from 'important'
Request was from Moritz Muehlenhoff <jmm@debian.org>
to control@bugs.debian.org.
(Mon, 30 Apr 2018 20:12:08 GMT) (full text, mbox, link).
Reply sent
to godisch@debian.org (Martin A. Godisch):
You have taken responsibility.
(Tue, 01 May 2018 13:54:09 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Tue, 01 May 2018 13:54:09 GMT) (full text, mbox, link).
Message #12 received at 897010-close@bugs.debian.org (full text, mbox, reply):
Source: lrzsz
Source-Version: 0.12.21-10
We believe that the bug you reported is fixed in the latest version of
lrzsz, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 897010@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Martin A. Godisch <godisch@debian.org> (supplier of updated lrzsz package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 01 May 2018 15:34:22 +0200
Source: lrzsz
Binary: lrzsz
Architecture: source amd64
Version: 0.12.21-10
Distribution: unstable
Urgency: high
Maintainer: Martin A. Godisch <godisch@debian.org>
Changed-By: Martin A. Godisch <godisch@debian.org>
Description:
lrzsz - Tools for zmodem/xmodem/ymodem file transfer
Closes: 897010
Changes:
lrzsz (0.12.21-10) unstable; urgency=high
.
* Fixed possible sz data leak, CVE-2018-10195, closes: #897010.
Patch from the Fedora project,
https://src.fedoraproject.org/cgit/rpms/lrzsz.git/tree/lrzsz-0.12.20.patch
Checksums-Sha1:
c0ec8c22d144d72a78bf20984e72f47fd108370f 1745 lrzsz_0.12.21-10.dsc
4a5cbf59ef10de222ff2adbdb2dfac12450c3a12 22560 lrzsz_0.12.21-10.debian.tar.xz
b0128733b73ecdd8dc8bf20c1717c656b40235fe 4772 lrzsz_0.12.21-10_amd64.buildinfo
79a72bdc4da2aa4b92273f13c64a747325a5ae63 115652 lrzsz_0.12.21-10_amd64.deb
Checksums-Sha256:
23a62f4be29f1fae29bf9651c577841c3aecd4d03e14f8c3eb57cec3b8c37939 1745 lrzsz_0.12.21-10.dsc
ac60630588772accaf8c215dcc3a36427a0a4de299a481a0ac05fb722cbdbfe8 22560 lrzsz_0.12.21-10.debian.tar.xz
75c0d5895590859b949f137ecb6315e225b823d808da77977e1a8442701cc940 4772 lrzsz_0.12.21-10_amd64.buildinfo
35486f7fa15db1ca53c10bcedffc6528f8f2835a870d393714373c3f7cbc9b28 115652 lrzsz_0.12.21-10_amd64.deb
Files:
880af2fddb095aacfc1bb7e915b3a38d 1745 comm optional lrzsz_0.12.21-10.dsc
2fe639295d1b088e82650f13e08cd1a4 22560 comm optional lrzsz_0.12.21-10.debian.tar.xz
7c87b49263b71a7dfb1e4d3b64eb3216 4772 comm optional lrzsz_0.12.21-10_amd64.buildinfo
f7a3d3adcfefc244e370c91b8e34b1e9 115652 comm optional lrzsz_0.12.21-10_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQJHBAEBCAAxFiEEGEIyO0/Pm5CZX6F/o1C5kfBaSFcFAlrobVATHGdvZGlzY2hA
ZGViaWFuLm9yZwAKCRCjULmR8FpIV9oTD/9tcnCHR779qaoxX6AQ9xFqAPR+WMZs
Pfbi6YqSIP/4VfVlzI9TYCfyMBhv40J1cmcPwPykd1hTknZx8yr46rE21jZSRtLt
PfJkMHFWaess0h4AWSX8wmFQYCbRoOb166kQxAYo2B747QwLpqnOWKLh4Vo8GE2r
92jngHGyj38q+CfL2YI8VWgY+EBcbema8jeGcoTAAT2ToDT0GAZgAmPwYggg6hm1
TgZDLYJOc+c6XEkH60qS61PKi6b279hINy4HWyhS8FcSSpVk+6+VMyq7taPGeeuv
02RB8877blVk6Q36LO48cjLdDwK4XA9r36AFuJx/DdhBuH6ZFAHo1mNgL8TyeOfu
SBZTK0aFJddXNh4pLAlPVSOg0StYaaMk0TPXQGTtmJOm38V+f0RgQNC0zzpje1iQ
p124/9mV0CqTBwdlbWksyKPXmsQ/Pkio8/pTvQCzsFNGPq/BblyzLOUN0xrkuYoD
kb5iCLE1HY3P756rX5kH6hKrPxN9KYNVB8wZ63+2B8lWGQ5F81LEvCH3qtjPswIw
bPhfLWmrS++7UFteQGCoatdOro4R/pvpJPScrj6Prx0a5AgTDK5e+KhDxREIsuYP
HLXNyDHjeVSc+X81UdYVcKLff4iEGuBx/SGkLy9NOyliQgkPQZI6p5lPX1G0SW7V
ttwHzrxbPMbImw==
=KvoJ
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:26:15 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon