A vulnerability was found in GNU Chess 6.2.5, there is a stack-based buffer overflow in the cmd_load
function in frontend/cmd.cc via a crafted chess position in an EPD file.
Created gnuchess tracking bugs for this issue:
Affects: epel-7 [bug 1749178]
Affects: fedora-all [bug 1749177]
gnuchess is only shipped in the optional repository.
This issue did not affect the versions of gnuchess as shipped with Red Hat Enterprise Linux 6 as the vulnerable code is not present in the older version shipped there.
Function cmd_load() reads at most MAXSTR(128) bytes from the EPD file in the `epdline` array of size MAXSTR, then it creates the data to send to the engine: this is done by copying `epdline` in a new array `data` of size MAXSTR and prefixing it with the string "setboard". However in some cases it is possible that while copying `epdline` in `data` the bytes are written beyond the limits of the `data` array, causing a stack-based buffer overflow that could be used to gain code execution with the privileges of the gnuchess binary.
Vulnerable code is present since version v5.9.90.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):