lrzsz: CVE-2018-10195

[l2dy]

• [x] are reporting a bug others will be able to reproduce and not asking a question. If you're not sure or want to ask a question do so on our Discourse: https://discourse.brew.sh
• [x] have a problem with brew install (or upgrade, reinstall) a single, official formula (not cask)?
• [ ] ran brew update and can still reproduce the problem?
• [ ] ran brew doctor, fixed all issues and can still reproduce the problem?
• [ ] ran brew gist-logs <formula> (where <formula> is the name of the formula that failed) and included the output link?
• [ ] if brew gist-logs didn't work: ran brew config and brew doctor and included their output with your issue?

---

Note that I haven't tried to reproduce the crash, merely discovered the vulernability from Debian's security-tracker.

https://security-tracker.debian.org/tracker/CVE-2018-10195 https://bugzilla.redhat.com/show_bug.cgi?id=1572058

[DomT4]

Thanks for flagging this up to us! I keep a loose eye on all the major security mailing lists & trackers but this one slipped through (as have some others that aren't big enough to generate "noise", in all likelihood) so we appreciate people notifying us of these things.

I applied the Fedora patch locally and, well, it broke compile, naturally 🙃.

mv lrzsz.po ./lrzsz.pot
mv: rename lrzsz.po to ./lrzsz.pot: No such file or directory
make[2]: *** [lrzsz.pot] Error 1
make[1]: *** [all-recursive] Error 1
make: *** [all-recursive-am] Error 2

Looking into it.

[DomT4]

Resolved via https://github.com/Homebrew/homebrew-core/commit/5361ba0d1d1d0fdce0ff52565be4f8d92eea42f4. Thanks again for the report!