GNU bug report logs - #47729
CVE-2021-30184 Arbitrary code execution in GNU Chess [security]

Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.

Package: guix; Reported by: Maxime Devos <maximedevos@HIDDEN>; Keywords: security; dated Mon, 12 Apr 2021 15:45:01 UTC; Maintainer for guix is bug-guix@HIDDEN.
Added tag(s) security. Request was from Maxime Devos <maximedevos@HIDDEN> to control <at> debbugs.gnu.org. Full text available.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 12 Apr 2021 15:44:41 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Apr 12 11:44:41 2021
Received: from localhost ([127.0.0.1]:57761 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1lVyju-0002cD-CF
	for submit <at> debbugs.gnu.org; Mon, 12 Apr 2021 11:44:41 -0400
Received: from lists.gnu.org ([209.51.188.17]:50212)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <maximedevos@HIDDEN>) id 1lVyjt-0002c5-A1
 for submit <at> debbugs.gnu.org; Mon, 12 Apr 2021 11:44:37 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:34606)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <maximedevos@HIDDEN>)
 id 1lVyjt-0007gH-1S
 for bug-guix@HIDDEN; Mon, 12 Apr 2021 11:44:37 -0400
Received: from laurent.telenet-ops.be ([2a02:1800:110:4::f00:19]:41388)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <maximedevos@HIDDEN>)
 id 1lVyjq-0006X2-8Y
 for bug-guix@HIDDEN; Mon, 12 Apr 2021 11:44:36 -0400
Received: from ptr-bvsjgyjmffd7q9timvx.18120a2.ip6.access.telenet.be
 ([IPv6:2a02:1811:8c09:9d00:aaf1:9810:a0b8:a55d])
 by laurent.telenet-ops.be with bizsmtp
 id rrkV2400L0mfAB401rkVvA; Mon, 12 Apr 2021 17:44:29 +0200
Message-ID: <0a0b536cf697c37adfca19ccb547e22c9cee4ce0.camel@HIDDEN>
Subject: CVE-2021-30184 Arbitrary code execution in GNU Chess [security]
From: Maxime Devos <maximedevos@HIDDEN>
To: bug-guix@HIDDEN
Date: Mon, 12 Apr 2021 17:44:24 +0200
Content-Type: multipart/signed; micalg="pgp-sha512";
 protocol="application/pgp-signature"; boundary="=-sDojTtl3foGSiPIa50CF"
User-Agent: Evolution 3.34.2 
MIME-Version: 1.0
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telenet.be; s=r21;
 t=1618242269; bh=amApKRThrE0TnvGW747HVhjy9L23c0gPMtNvdFm8Ir8=;
 h=Subject:From:To:Date;
 b=TF7d+V3hdPhREOdZGX7CbZc9tyM1njAUuNeZgvMf/Akp7h3D84ii4GhlIwEmXGgQl
 DESlZQMzqixH8pePQjP6jg/TJ/ryzQmKbS6/7WEOJz1L+2W4e6MIChbHoxR8Wev0RP
 tc7KMEmtG11X+HO52XvGU032hnAVXlsGfcg0ccQ4l0f13pebnDU4HK5GNRfJSk0adh
 ZiNPNV1kOrbv6YYB8Jcln98isiXLMRgyCudzFj4ydtSOVJJHTiolzA+E+bqUhxt/hv
 UVO7mzNPrSp3rOdLAT1K6c3JDCjQW5OV8QFd5pwutxUbhKklDHX4iiwcfQiBtoWdUV
 oivZlzAEZnoLg==
Received-SPF: pass client-ip=2a02:1800:110:4::f00:19;
 envelope-from=maximedevos@HIDDEN; helo=laurent.telenet-ops.be
X-Spam_score_int: -27
X-Spam_score: -2.8
X-Spam_bar: --
X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
 RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: 0.2 (/)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -2.3 (--)


--=-sDojTtl3foGSiPIa50CF
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

=46rom https://nvd.nist.gov/vuln/detail/CVE-2021-30184:

GNU Chess 6.2.7 allows attackers to execute arbitrary code via crafted PGN
(Portable Game Notation) data. This is related to a buffer overflow in the =
use
of a .tmp.epd temporary file in the cmd_pgnload and cmd_pgnreplay functions=
 in
frontend/cmd.cc.

Upstream bug report and patch:
https://lists.gnu.org/archive/html/bug-gnu-chess/2021-04/msg00000.html

Upstream is aware of this issue and patch.  The patch is being reviewed ups=
tream:

Response by Antonio Ceballos (<https://lists.gnu.org/archive/html/bug-gnu-c=
hess/2021-04/msg00001.html>)
=E2=80=98We will review it all in detail for a future release fixing the pr=
oblem.=E2=80=99

I believe we should simply wait for upstream to make a release.

--=-sDojTtl3foGSiPIa50CF
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----

iI0EABYKADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYHRq2BccbWF4aW1lZGV2
b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7o76AP9ixzfK48MaqYYWx/Y93dKzqyTW
jgm+sOJe25bU3sTNDgEA5XWV+sZ56Ptxz6rSG88YRQlkBa4bATPktp3Wjt1FqQY=
=Va44
-----END PGP SIGNATURE-----

--=-sDojTtl3foGSiPIa50CF--





Acknowledgement sent to Maxime Devos <maximedevos@HIDDEN>:
New bug report received and forwarded. Copy sent to bug-guix@HIDDEN. Full text available.
Report forwarded to bug-guix@HIDDEN:
bug#47729; Package guix. Full text available.
Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Last modified: Mon, 12 Apr 2021 20:45:02 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.