1Integer overflow in src/zm.c:zsdata() causes crash in sz and can leak information to receiver. 2 3Patch taken from Fedora. 4 5CVE: CVE-2018-10195 6Upstream-Status: Inappropriate (dead upstream) 7Signed-off-by: Ross Burton <ross.burton@intel.com> 8 9diff -urN lrzsz-0.12.20/src/zm.c lrzsz-0.12.20.new/src/zm.c 10--- lrzsz-0.12.20/src/zm.c Tue Dec 29 09:48:38 1998 11+++ lrzsz-0.12.20.new/src/zm.c Tue Oct 8 12:46:58 2002 12@@ -431,10 +431,12 @@ 13 VPRINTF(3,("zsdata: %lu %s", (unsigned long) length, 14 Zendnames[(frameend-ZCRCE)&3])); 15 crc = 0; 16- do { 17- zsendline(*buf); crc = updcrc((0377 & *buf), crc); 18- buf++; 19- } while (--length>0); 20+ 21+ for( ; length; length--) { 22+ zsendline(*buf); crc = updcrc((0377 & *buf), crc); 23+ buf++; 24+ } 25+ 26 xsendline(ZDLE); xsendline(frameend); 27 crc = updcrc(frameend, crc); 28