(address . bug-guix@gnu.org)
0a0b536cf697c37adfca19ccb547e22c9cee4ce0.camel@telenet.be
GNU Chess 6.2.7 allows attackers to execute arbitrary code via crafted PGN
(Portable Game Notation) data. This is related to a buffer overflow in the use
of a .tmp.epd temporary file in the cmd_pgnload and cmd_pgnreplay functions in
frontend/cmd.cc.
Upstream bug report and patch:
Upstream is aware of this issue and patch. The patch is being reviewed upstream:
Response by Antonio Ceballos (https://lists.gnu.org/archive/html/bug-gnu-chess/2021-04/msg00001.html)
‘We will review it all in detail for a future release fixing the problem.’
I believe we should simply wait for upstream to make a release.