oss-sec mailing list archives

Re: Re: CVE needed? / gnuchess 6.2.4 fixed user input buffer overflow

From: Sebastian Pipping <sebastian () pipping org>
Date: Mon, 14 Nov 2016 19:58:01 +0100

Thanks for pointing to -u / UCI mode.

I guess it does make sense to request/assign a CVE then.

The initial report seems to be by Antti Karjalainen at
http://lists.gnu.org/archive/html/bug-gnu-chess/2015-10/msg00002.html .

Best, Sebastian


On 14.11.2016 10:42, cve-assign () mitre org wrote:

The reference for this bug is:

  http://svn.savannah.gnu.org/viewvc?view=rev&root=chess&revision=134

may need some other application in front (e.g. a website
using gnuchess for a backend or some mobile/desktop application
forwarding evil input to gnuchess with improper validation) to attack.


Is it vulnerable without such an application if launched as
"gnuchess -u" (UCI mode)? For example, is it taking untrusted input of
4096 characters and sending it to the ValidateMove function that is
expecting 128?


  #define BUF_SIZE 4096

  #define MAXSTR 128


  if ( flags & UCI )
  ...
  NextEngineCmd();
  ...
  ReadFromEngine();


  static char engineinputbuf[BUF_SIZE]="";


  nread = read( pipefd_a2f[0], engineinputaux, BUF_SIZE );
  strcat( engineinputbuf, engineinputaux );


  char enginemovestr[BUF_SIZE]="";
  enginemove = ValidateMove( enginemovestr );

Current thread:

CVE needed? / gnuchess 6.2.4 fixed user input buffer overflow Sebastian Pipping (Nov 13)
- Re: CVE needed? / gnuchess 6.2.4 fixed user input buffer overflow cve-assign (Nov 14)
  - Re: Re: CVE needed? / gnuchess 6.2.4 fixed user input buffer overflow Sebastian Pipping (Nov 14)
    - Re: CVE needed? / gnuchess 6.2.4 fixed user input buffer overflow cve-assign (Nov 14)