bug#47729: CVE-2021-30184 Arbitrary code execution in GNU Chess [securit

bug-guix

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#47729: CVE-2021-30184 Arbitrary code execution in GNU Chess [securit

From:	Maxime Devos
Subject:	bug#47729: CVE-2021-30184 Arbitrary code execution in GNU Chess [security]
Date:	Mon, 12 Apr 2021 17:44:24 +0200
User-agent:	Evolution 3.34.2

From https://nvd.nist.gov/vuln/detail/CVE-2021-30184:

GNU Chess 6.2.7 allows attackers to execute arbitrary code via crafted PGN
(Portable Game Notation) data. This is related to a buffer overflow in the use
of a .tmp.epd temporary file in the cmd_pgnload and cmd_pgnreplay functions in
frontend/cmd.cc.

Upstream bug report and patch:
https://lists.gnu.org/archive/html/bug-gnu-chess/2021-04/msg00000.html

Upstream is aware of this issue and patch.  The patch is being reviewed 
upstream:

Response by Antonio Ceballos 
(<https://lists.gnu.org/archive/html/bug-gnu-chess/2021-04/msg00001.html>)
‘We will review it all in detail for a future release fixing the problem.’

I believe we should simply wait for upstream to make a release.

signature.asc
Description: This is a digitally signed message part

[Prev in Thread]

Current Thread

[Next in Thread]

bug#47729: CVE-2021-30184 Arbitrary code execution in GNU Chess [security], Maxime Devos <=

Prev by Date: bug#47562: java-eclipse-jetty-* packages are vulnerable to CVE-2021-28165, CVE-2021-28164 and CVE-2021-28163 (also probably MANY others, 4y w/o upgrade)
Next by Date: bug#41140: “guix system” suggests wrong module import when using “remove”
Previous by thread: bug#47727: halt system test is broken
Next by thread: bug#41140: “guix system” suggests wrong module import when using “remove”
Index(es):
- Date
- Thread