GNU bug report logs - #47729
CVE-2021-30184 Arbitrary code execution in GNU Chess [security]

Package: guix;

Reported by: Maxime Devos <maximedevos <at> telenet.be>

Date: Mon, 12 Apr 2021 15:45:01 UTC

Severity: normal

Tags: security

Done: Maxime Devos <maximedevos <at> telenet.be>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 47729 in the body.
You can then email your comments to 47729 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to bug-guix <at> gnu.org:
bug#47729; Package guix. (Mon, 12 Apr 2021 15:45:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Maxime Devos <maximedevos <at> telenet.be>:
New bug report received and forwarded. Copy sent to bug-guix <at> gnu.org. (Mon, 12 Apr 2021 15:45:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Maxime Devos <maximedevos <at> telenet.be>
To: bug-guix <at> gnu.org
Subject: CVE-2021-30184 Arbitrary code execution in GNU Chess [security]
Date: Mon, 12 Apr 2021 17:44:24 +0200

[Message part 1 (text/plain, inline)]

From https://nvd.nist.gov/vuln/detail/CVE-2021-30184:

GNU Chess 6.2.7 allows attackers to execute arbitrary code via crafted PGN
(Portable Game Notation) data. This is related to a buffer overflow in the use
of a .tmp.epd temporary file in the cmd_pgnload and cmd_pgnreplay functions in
frontend/cmd.cc.

Upstream bug report and patch:
https://lists.gnu.org/archive/html/bug-gnu-chess/2021-04/msg00000.html

Upstream is aware of this issue and patch.  The patch is being reviewed upstream:

Response by Antonio Ceballos (<https://lists.gnu.org/archive/html/bug-gnu-chess/2021-04/msg00001.html>)
‘We will review it all in detail for a future release fixing the problem.’

I believe we should simply wait for upstream to make a release.

[signature.asc (application/pgp-signature, inline)]

Added tag(s) security. Request was from Maxime Devos <maximedevos <at> telenet.be> to control <at> debbugs.gnu.org. (Mon, 12 Apr 2021 20:32:02 GMT) Full text and rfc822 format available.

Reply sent to Maxime Devos <maximedevos <at> telenet.be>:
You have taken responsibility. (Mon, 10 May 2021 19:50:01 GMT) Full text and rfc822 format available.

Notification sent to Maxime Devos <maximedevos <at> telenet.be>:
bug acknowledged by developer. (Mon, 10 May 2021 19:50:02 GMT) Full text and rfc822 format available.

Message #12 received at 47729-done <at> debbugs.gnu.org (full text, mbox):

From: Maxime Devos <maximedevos <at> telenet.be>
To: 47729-done <at> debbugs.gnu.org
Subject: Fixed: CVE-2021-30184 Arbitrary code execution in GNU Chess [security]
Date: Mon, 10 May 2021 21:48:55 +0200

Fixed with https://git.savannah.gnu.org/cgit/guix.git/commit/?id=9a11f2380ff49756ace2f33bc96a88cdb6af5453.

bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Tue, 08 Jun 2021 11:24:05 GMT) Full text and rfc822 format available.

This bug report was last modified 2 years and 316 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.

GNU bug report logs - #47729 CVE-2021-30184 Arbitrary code execution in GNU Chess [security]

GNU bug report logs - #47729
CVE-2021-30184 Arbitrary code execution in GNU Chess [security]