CVE-2021-30184 Arbitrary code execution in GNU Chess [security]

  • Done
  • quality assurance status badge
Details
One participant
  • Maxime Devos
Owner
unassigned
Submitted by
Maxime Devos
Severity
normal
M
M
Maxime Devos wrote on 12 Apr 2021 17:44
(address . bug-guix@gnu.org)
0a0b536cf697c37adfca19ccb547e22c9cee4ce0.camel@telenet.be

GNU Chess 6.2.7 allows attackers to execute arbitrary code via crafted PGN
(Portable Game Notation) data. This is related to a buffer overflow in the use
of a .tmp.epd temporary file in the cmd_pgnload and cmd_pgnreplay functions in
frontend/cmd.cc.

Upstream bug report and patch:

Upstream is aware of this issue and patch. The patch is being reviewed upstream:

‘We will review it all in detail for a future release fixing the problem.’

I believe we should simply wait for upstream to make a release.
-----BEGIN PGP SIGNATURE-----

iI0EABYKADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYHRq2BccbWF4aW1lZGV2
b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7o76AP9ixzfK48MaqYYWx/Y93dKzqyTW
jgm+sOJe25bU3sTNDgEA5XWV+sZ56Ptxz6rSG88YRQlkBa4bATPktp3Wjt1FqQY=
=Va44
-----END PGP SIGNATURE-----


M
M
Maxime Devos wrote on 12 Apr 2021 22:31
(address . control@debbugs.gnu.org)
a46c8a86c25440bd8e5a1427d4fa5d72a593ff35.camel@telenet.be
tags 47729 security
thanks
M
Closed
?
Your comment

This issue is archived.

To comment on this conversation send an email to 47729@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 47729
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch