CVE-2021-30184 Arbitrary code execution in GNU Chess [security]

  • Done
  • quality assurance status badge
Details
One participant
  • Maxime Devos
Owner
unassigned
Submitted by
Maxime Devos
Severity
normal
M
M
Maxime Devos wrote on 12 Apr 2021 17:44
(address . bug-guix@gnu.org)
0a0b536cf697c37adfca19ccb547e22c9cee4ce0.camel@telenet.be

GNU Chess 6.2.7 allows attackers to execute arbitrary code via crafted PGN
(Portable Game Notation) data. This is related to a buffer overflow in the use
of a .tmp.epd temporary file in the cmd_pgnload and cmd_pgnreplay functions in
frontend/cmd.cc.

Upstream bug report and patch:

Upstream is aware of this issue and patch. The patch is being reviewed upstream:

‘We will review it all in detail for a future release fixing the problem.’

I believe we should simply wait for upstream to make a release.
-----BEGIN PGP SIGNATURE-----

iI0EABYKADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYHRq2BccbWF4aW1lZGV2
b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7o76AP9ixzfK48MaqYYWx/Y93dKzqyTW
jgm+sOJe25bU3sTNDgEA5XWV+sZ56Ptxz6rSG88YRQlkBa4bATPktp3Wjt1FqQY=
=Va44
-----END PGP SIGNATURE-----


M
M
Maxime Devos wrote on 12 Apr 2021 22:31
(address . control@debbugs.gnu.org)
a46c8a86c25440bd8e5a1427d4fa5d72a593ff35.camel@telenet.be
tags 47729 security
thanks
M
Closed
?