Description
lrzsz before version 0.12.21~rc can leak information to the receiving side due to an incorrect length check in the function zsdata that causes a size_t to wrap around.
References (5)
Core 5
Core References
Release Notes, Third Party Advisory x_refsource_misc
http://www.ohse.de/uwe/software/lrzsz.html
Mailing List, Third Party Advisory x_refsource_misc
https://lists.suse.com/pipermail/sle-security-updates/2018-April/003955.html?_ga=2.81625751.1026327980.1622040648-1950393542.1547130931
Mailing List, Third Party Advisory x_refsource_misc
https://lists.suse.com/pipermail/sle-security-updates/2018-April/003956.html?_ga=2.81625751.1026327980.1622040648-1950393542.1547130931
Issue Tracking, Third Party Advisory x_refsource_misc
https://bugzilla.redhat.com/show_bug.cgi?id=1572058
Issue Tracking, Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2022/01/msg00027.html
Scores
CVSS v3
7.1
EPSS
0.0005
EPSS Percentile
17.0%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Details
CWE
CWE-190
Status
published
Products (6)
debian/debian_linux
9.0
lrzsz_project/lrzsz
< 0.12.20
suse/linux_enterprise_debuginfo
11 sp4
suse/linux_enterprise_desktop
12 sp3
suse/linux_enterprise_server
11 sp4
suse/linux_enterprise_server
12 sp3
Published
Jun 02, 2021
Tracked Since
Feb 18, 2026