CVE-2021-30184 Arbitrary code execution in GNU Chess [security]

DoneSubmitted by Maxime Devos.
Details
One participant
  • Maxime Devos
Owner
unassigned
Severity
normal
M
M
Maxime Devos wrote on 12 Apr 17:44 +0200
(address . bug-guix@gnu.org)
0a0b536cf697c37adfca19ccb547e22c9cee4ce0.camel@telenet.be
From https://nvd.nist.gov/vuln/detail/CVE-2021-30184:
GNU Chess 6.2.7 allows attackers to execute arbitrary code via crafted PGN(Portable Game Notation) data. This is related to a buffer overflow in the useof a .tmp.epd temporary file in the cmd_pgnload and cmd_pgnreplay functions infrontend/cmd.cc.
Upstream bug report and patch:https://lists.gnu.org/archive/html/bug-gnu-chess/2021-04/msg00000.html
Upstream is aware of this issue and patch. The patch is being reviewed upstream:
Response by Antonio Ceballos (https://lists.gnu.org/archive/html/bug-gnu-chess/2021-04/msg00001.html)‘We will review it all in detail for a future release fixing the problem.’
I believe we should simply wait for upstream to make a release.
-----BEGIN PGP SIGNATURE-----
iI0EABYKADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYHRq2BccbWF4aW1lZGV2b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7o76AP9ixzfK48MaqYYWx/Y93dKzqyTWjgm+sOJe25bU3sTNDgEA5XWV+sZ56Ptxz6rSG88YRQlkBa4bATPktp3Wjt1FqQY==Va44-----END PGP SIGNATURE-----

M
M
Maxime Devos wrote on 12 Apr 22:31 +0200
(address . control@debbugs.gnu.org)
a46c8a86c25440bd8e5a1427d4fa5d72a593ff35.camel@telenet.be
tags 47729 securitythanks
M
M
Maxime Devos wrote on 10 May 21:48 +0200
(address . 47729-done@debbugs.gnu.org)
06d2c07658acf6d550921288a630a0bb9f32dfd2.camel@telenet.be
Closed
?
Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send email to 47729@debbugs.gnu.org