711264 – (CVE-2019-15767) <games-board/gnuchess-6.2.7: Buffer overflow (CVE-2019-15767)

Bug 711264 (CVE-2019-15767) - <games-board/gnuchess-6.2.7: Buffer overflow (CVE-2019-15767)

Summary: <games-board/gnuchess-6.2.7: Buffer overflow (CVE-2019-15767)

Status:	RESOLVED FIXED

Alias:	CVE-2019-15767

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://lists.gnu.org/archive/html/bu...
Whiteboard:	B3 [noglsa cve]
Keywords:

Depends on:	720792
Blocks:
	Show dependency tree

Reported:	2020-03-01 23:47 UTC by Sam James
Modified:	2020-07-26 05:16 UTC (History)
CC List:	1 user (show)

See Also:
Package list:	=games-board/gnuchess-6.2.7 *
Runtime testing required:	---

Flags:	nattka: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2020-03-01 23:47:21 UTC

Description:
"In GNU Chess 6.2.5, there is a stack-based buffer overflow in the cmd_load function in frontend/cmd.cc via a crafted chess position in an EPD file."

Comment 1 Sam James archtester

2020-04-19 08:19:10 UTC

@maintainer(s), please create an ebuild for version 6.2.6 (just released) which contains a fix for this.

Comment 2 GLSAMaker/CVETool Bot gentoo-dev

2020-04-19 22:19:38 UTC

CVE-2019-15767 (https://nvd.nist.gov/vuln/detail/CVE-2019-15767):
  In GNU Chess 6.2.5, there is a stack-based buffer overflow in the cmd_load
  function in frontend/cmd.cc via a crafted chess position in an EPD file.

Comment 3 Larry the Git Cow gentoo-dev

2020-06-11 12:16:04 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=36e5d110f650769a6657df8955fb51c0b4cc615b

commit 36e5d110f650769a6657df8955fb51c0b4cc615b
Author:     David Seifert <soap@gentoo.org>
AuthorDate: 2020-06-11 12:15:49 +0000
Commit:     David Seifert <soap@gentoo.org>
CommitDate: 2020-06-11 12:15:49 +0000

    games-board/gnuchess: Version bump to 6.2.7
    
    Bug: https://bugs.gentoo.org/711264
    Bug: https://bugs.gentoo.org/720792
    Package-Manager: Portage-2.3.100, Repoman-2.3.22
    Signed-off-by: David Seifert <soap@gentoo.org>

 games-board/gnuchess/Manifest              |  1 +
 games-board/gnuchess/gnuchess-6.2.7.ebuild | 16 ++++++++++++++++
 2 files changed, 17 insertions(+)

Comment 4 Sam James archtester

2020-06-11 16:08:14 UTC

@maintainer(s), thanks, let us know when ready for stabling

Comment 5 Sam James archtester

2020-06-14 21:57:13 UTC

Stabilisation is happening in bug 720792.

Comment 6 Larry the Git Cow gentoo-dev

2020-06-23 16:17:12 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f0b0c28aae4466e2cb6398eaa7578b8d342a2afa

commit f0b0c28aae4466e2cb6398eaa7578b8d342a2afa
Author:     David Seifert <soap@gentoo.org>
AuthorDate: 2020-06-23 16:16:56 +0000
Commit:     David Seifert <soap@gentoo.org>
CommitDate: 2020-06-23 16:16:56 +0000

    games-board/gnuchess: Remove old
    
    Bug: https://bugs.gentoo.org/711264
    Package-Manager: Portage-2.3.102, Repoman-2.3.23
    Signed-off-by: David Seifert <soap@gentoo.org>

 games-board/gnuchess/Manifest              |  2 --
 games-board/gnuchess/gnuchess-6.2.4.ebuild | 20 --------------------
 games-board/gnuchess/gnuchess-6.2.5.ebuild | 20 --------------------
 3 files changed, 42 deletions(-)

Comment 7 Sam James archtester

2020-06-23 16:19:33 UTC

Thanks!

Comment 8 Sam James archtester

2020-07-26 05:16:40 UTC

GLSA vote: no. Closing, thanks all!