oss-sec mailing list archives
CVE needed? / gnuchess 6.2.4 fixed user input buffer overflow
From: Sebastian Pipping <sebastian () pipping org>
Date: Sun, 13 Nov 2016 16:28:19 +0100
Hi there! gnuchess 6.2.4 fixed a stack buffer overflow related to user move input, i.e. 160 characters input can crash unpatched gnuchess 6.2.3. I am unsure if this can be used to execute arbitrary code and if it needs a CVE or not: gnuchess itself does not seem to accept input from a file so it may need some other application in front (e.g. a website using gnuchess for a backend or some mobile/desktop application forwarding evil input to gnuchess with improper validation) to attack. The patch in 6.2.4 is this, content from s goes into mvstr later: # diff -u4 gnuchess-6.2.3/src/frontend/move.cc gnuchess-6.2.4/src/frontend/move.cc --- gnuchess-6.2.3/src/frontend/move.cc 2015-01-01 23:57:25.000000000 +0100 +++ gnuchess-6.2.4/src/frontend/move.cc 2016-09-20 01:12:35.000000000 +0200 @@ -541,8 +541,13 @@ char mvstr[MAXSTR], *p; BitBoard b, b2; leaf *n1, *n2; + /* User input could be longer than MAXSTR */ + if ( strlen(s) >= MAXSTR ) { + s[MAXSTR-1] = '\0'; + } + TreePtr[2] = TreePtr[1]; GenMoves (1); FilterIllegalMoves (1); side = board.side; Thanks and best Sebastian
Current thread:
- CVE needed? / gnuchess 6.2.4 fixed user input buffer overflow Sebastian Pipping (Nov 13)
- Re: CVE needed? / gnuchess 6.2.4 fixed user input buffer overflow cve-assign (Nov 14)
- Re: Re: CVE needed? / gnuchess 6.2.4 fixed user input buffer overflow Sebastian Pipping (Nov 14)
- Re: CVE needed? / gnuchess 6.2.4 fixed user input buffer overflow cve-assign (Nov 14)
- Re: Re: CVE needed? / gnuchess 6.2.4 fixed user input buffer overflow Sebastian Pipping (Nov 14)
- Re: CVE needed? / gnuchess 6.2.4 fixed user input buffer overflow cve-assign (Nov 14)