Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 780855 (CVE-2021-30184) - <games-board/gnuchess-6.2.8-r1: code execution via malicious PGN file
Summary: <games-board/gnuchess-6.2.8-r1: code execution via malicious PGN file
Status: RESOLVED FIXED
Alias: CVE-2021-30184
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://lists.gnu.org/archive/html/bu...
Whiteboard: B2 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-04-07 14:52 UTC by John Helmert III
Modified: 2021-07-12 02:51 UTC (History)
2 users (show)

See Also:
Package list:
games-board/gnuchess-6.2.8-r1
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III gentoo-dev Security 2021-04-07 14:52:25 UTC
Details at $URL, seems there's a patch available that upstream hasn't looked into yet.
Comment 1 Larry the Git Cow gentoo-dev 2021-05-09 22:39:25 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ea7c1f9a4abc6ecd64c7d73d3c2ee1affee4b839

commit ea7c1f9a4abc6ecd64c7d73d3c2ee1affee4b839
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-05-09 22:16:30 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-05-09 22:39:15 +0000

    games-board/gnuchess: add 6.2.8
    
    Bug: https://bugs.gentoo.org/780855
    Signed-off-by: Sam James <sam@gentoo.org>

 games-board/gnuchess/Manifest              |  1 +
 games-board/gnuchess/gnuchess-6.2.8.ebuild | 17 +++++++++++++++++
 2 files changed, 18 insertions(+)
Comment 2 Sebastian Pipping gentoo-dev 2021-05-27 16:47:13 UTC
Hi!  I had a quick look at 6.2.8.  My impression is that the vulnerability fix did not make it into release 6.2.8 (from checking the diff of file cmd.cc between 6.2.7 and 6.2.8), despite the fact that the release date (2021-05-09) is after the related mails in the mail thread (2021-04-06).  Is that your impression too?

We could either cherry-pick the patch or ask about plans for a new release upstream.  I have been in contact with Antonio upstream before, I'd volunteer to mail him, but just an idea.
Comment 3 John Helmert III gentoo-dev Security 2021-05-30 16:04:13 UTC
(In reply to Sebastian Pipping from comment #2)
> Hi!  I had a quick look at 6.2.8.  My impression is that the vulnerability
> fix did not make it into release 6.2.8 (from checking the diff of file
> cmd.cc between 6.2.7 and 6.2.8), despite the fact that the release date
> (2021-05-09) is after the related mails in the mail thread (2021-04-06).  Is
> that your impression too?
> 
> We could either cherry-pick the patch or ask about plans for a new release
> upstream.  I have been in contact with Antonio upstream before, I'd
> volunteer to mail him, but just an idea.

I agree this doesn't seem to have made it into the release. Contacting upstream would be great, thanks!
Comment 4 Sebastian Pipping gentoo-dev 2021-05-30 16:45:21 UTC
(In reply to John Helmert III from comment #3)
> Contacting upstream would be great, thanks!

Done, mail sent just now.
Comment 5 Sebastian Pipping gentoo-dev 2021-05-30 16:46:15 UTC
(In reply to John Helmert III from comment #3)
> I agree this doesn't seem to have made it into the release.

PS: Thanks for checking and for the confirmation!
Comment 6 Sebastian Pipping gentoo-dev 2021-05-31 10:18:56 UTC
I have a first reply from upstream, reply sent.

Also, I just sent mail to NVD to mark 6.2.8 as vulnerable.  That should fix metadata at https://repology.org/project/gnuchess/information automatically, at least it has worked before.
Comment 7 Larry the Git Cow gentoo-dev 2021-06-02 11:35:35 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c2d8827505a9f03a77a066cb21976932cf7eada7

commit c2d8827505a9f03a77a066cb21976932cf7eada7
Author:     Sebastian Pipping <sping@gentoo.org>
AuthorDate: 2021-06-02 11:32:16 +0000
Commit:     Sebastian Pipping <sping@gentoo.org>
CommitDate: 2021-06-02 11:34:59 +0000

    games-board/gnuchess: CVE-2021-30184
    
    Bug: https://bugs.gentoo.org/780855
    Signed-off-by: Sebastian Pipping <sping@gentoo.org>
    Package-Manager: Portage-3.0.19, Repoman-3.0.3

 .../files/gnuchess-6.2.8-cve-2021-30184.patch      | 72 ++++++++++++++++++++++
 games-board/gnuchess/gnuchess-6.2.8-r1.ebuild      | 21 +++++++
 2 files changed, 93 insertions(+)
Comment 8 Sam James archtester gentoo-dev Security 2021-06-02 12:34:00 UTC
(In reply to Sebastian Pipping from comment #6)
> I have a first reply from upstream, reply sent.
> 
> Also, I just sent mail to NVD to mark 6.2.8 as vulnerable.  That should fix
> metadata at https://repology.org/project/gnuchess/information automatically,
> at least it has worked before.

Thank you for your work on this!
Comment 9 Sam James archtester gentoo-dev Security 2021-06-06 23:18:25 UTC
amd64 done
Comment 10 Sam James archtester gentoo-dev Security 2021-06-06 23:18:57 UTC
x86 done
Comment 11 Sergei Trofimovich (RETIRED) gentoo-dev 2021-06-07 06:33:46 UTC
ppc64 stable
Comment 12 Sam James archtester gentoo-dev Security 2021-07-05 22:35:12 UTC
arm64 done

all arches done
Comment 13 John Helmert III gentoo-dev Security 2021-07-06 01:10:02 UTC
Please cleanup
Comment 14 John Helmert III gentoo-dev Security 2021-07-06 01:16:07 UTC
GLSA request filed.
Comment 15 Larry the Git Cow gentoo-dev 2021-07-06 12:52:01 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ca4b00dd4a33d76ef2696f421ba099d8855e2718

commit ca4b00dd4a33d76ef2696f421ba099d8855e2718
Author:     Sebastian Pipping <sping@gentoo.org>
AuthorDate: 2021-07-06 12:51:00 +0000
Commit:     Sebastian Pipping <sping@gentoo.org>
CommitDate: 2021-07-06 12:51:48 +0000

    games-board/gnuchess: Drop vulnerable
    
    Bug: https://bugs.gentoo.org/780855
    Signed-off-by: Sebastian Pipping <sping@gentoo.org>
    Package-Manager: Portage-3.0.20, Repoman-3.0.3

 games-board/gnuchess/Manifest              |  1 -
 games-board/gnuchess/gnuchess-6.2.7.ebuild | 16 ----------------
 games-board/gnuchess/gnuchess-6.2.8.ebuild | 17 -----------------
 3 files changed, 34 deletions(-)
Comment 16 John Helmert III gentoo-dev Security 2021-07-06 15:18:27 UTC
Thank you!
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2021-07-12 02:51:03 UTC
This issue was resolved and addressed in
 GLSA 202107-28 at https://security.gentoo.org/glsa/202107-28
by GLSA coordinator Sam James (sam_c).