Bug 1749175 (CVE-2019-15767) - CVE-2019-15767 gnuchess: stack-based overflow in cmd_load in frontend/cmd.cc via crafted EPD file
Summary: CVE-2019-15767 gnuchess: stack-based overflow in cmd_load in frontend/cmd.cc ...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2019-15767
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1749177 1749178
Blocks: 1749176
TreeView+ depends on / blocked
 
Reported: 2019-09-05 05:39 UTC by Dhananjay Arunesh
Modified: 2019-09-11 18:45 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-09-11 18:45:35 UTC


Attachments (Terms of Use)

Description Dhananjay Arunesh 2019-09-05 05:39:32 UTC
A vulnerability was found in GNU Chess 6.2.5, there is a stack-based buffer overflow in the cmd_load
function in frontend/cmd.cc via a crafted chess position in an EPD file.

Reference:
https://lists.gnu.org/archive/html/bug-gnu-chess/2019-08/msg00004.html
https://lists.gnu.org/archive/html/bug-gnu-chess/2019-08/msg00005.html

Comment 1 Dhananjay Arunesh 2019-09-05 05:40:38 UTC
Created gnuchess tracking bugs for this issue:

Affects: epel-7 [bug 1749178]
Affects: fedora-all [bug 1749177]

Comment 2 Riccardo Schirone 2019-09-11 12:19:07 UTC
gnuchess is only shipped in the optional repository.

Comment 3 Riccardo Schirone 2019-09-11 13:42:41 UTC
Statement:

This issue did not affect the versions of gnuchess as shipped with Red Hat Enterprise Linux 6 as the vulnerable code is not present in the older version shipped there.

Comment 4 Riccardo Schirone 2019-09-11 13:50:39 UTC
Function cmd_load() reads at most MAXSTR(128) bytes from the EPD file in the `epdline` array of size MAXSTR, then it creates the data to send to the engine: this is done by copying `epdline` in a new array `data` of size MAXSTR and prefixing it with the string "setboard". However in some cases it is possible that while copying `epdline` in `data` the bytes are written beyond the limits of the `data` array, causing a stack-based buffer overflow that could be used to gain code execution with the privileges of the gnuchess binary.

Comment 5 Riccardo Schirone 2019-09-11 14:27:25 UTC
Vulnerable code is present since version v5.9.90.

Comment 6 Product Security DevOps Team 2019-09-11 18:45:35 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-15767


Note You need to log in before you can comment on or make changes to this bug.