Details at $URL, seems there's a patch available that upstream hasn't looked into yet.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ea7c1f9a4abc6ecd64c7d73d3c2ee1affee4b839 commit ea7c1f9a4abc6ecd64c7d73d3c2ee1affee4b839 Author: Sam James <sam@gentoo.org> AuthorDate: 2021-05-09 22:16:30 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-05-09 22:39:15 +0000 games-board/gnuchess: add 6.2.8 Bug: https://bugs.gentoo.org/780855 Signed-off-by: Sam James <sam@gentoo.org> games-board/gnuchess/Manifest | 1 + games-board/gnuchess/gnuchess-6.2.8.ebuild | 17 +++++++++++++++++ 2 files changed, 18 insertions(+)
Hi! I had a quick look at 6.2.8. My impression is that the vulnerability fix did not make it into release 6.2.8 (from checking the diff of file cmd.cc between 6.2.7 and 6.2.8), despite the fact that the release date (2021-05-09) is after the related mails in the mail thread (2021-04-06). Is that your impression too? We could either cherry-pick the patch or ask about plans for a new release upstream. I have been in contact with Antonio upstream before, I'd volunteer to mail him, but just an idea.
(In reply to Sebastian Pipping from comment #2) > Hi! I had a quick look at 6.2.8. My impression is that the vulnerability > fix did not make it into release 6.2.8 (from checking the diff of file > cmd.cc between 6.2.7 and 6.2.8), despite the fact that the release date > (2021-05-09) is after the related mails in the mail thread (2021-04-06). Is > that your impression too? > > We could either cherry-pick the patch or ask about plans for a new release > upstream. I have been in contact with Antonio upstream before, I'd > volunteer to mail him, but just an idea. I agree this doesn't seem to have made it into the release. Contacting upstream would be great, thanks!
(In reply to John Helmert III from comment #3) > Contacting upstream would be great, thanks! Done, mail sent just now.
(In reply to John Helmert III from comment #3) > I agree this doesn't seem to have made it into the release. PS: Thanks for checking and for the confirmation!
I have a first reply from upstream, reply sent. Also, I just sent mail to NVD to mark 6.2.8 as vulnerable. That should fix metadata at https://repology.org/project/gnuchess/information automatically, at least it has worked before.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c2d8827505a9f03a77a066cb21976932cf7eada7 commit c2d8827505a9f03a77a066cb21976932cf7eada7 Author: Sebastian Pipping <sping@gentoo.org> AuthorDate: 2021-06-02 11:32:16 +0000 Commit: Sebastian Pipping <sping@gentoo.org> CommitDate: 2021-06-02 11:34:59 +0000 games-board/gnuchess: CVE-2021-30184 Bug: https://bugs.gentoo.org/780855 Signed-off-by: Sebastian Pipping <sping@gentoo.org> Package-Manager: Portage-3.0.19, Repoman-3.0.3 .../files/gnuchess-6.2.8-cve-2021-30184.patch | 72 ++++++++++++++++++++++ games-board/gnuchess/gnuchess-6.2.8-r1.ebuild | 21 +++++++ 2 files changed, 93 insertions(+)
(In reply to Sebastian Pipping from comment #6) > I have a first reply from upstream, reply sent. > > Also, I just sent mail to NVD to mark 6.2.8 as vulnerable. That should fix > metadata at https://repology.org/project/gnuchess/information automatically, > at least it has worked before. Thank you for your work on this!
amd64 done
x86 done
ppc64 stable
arm64 done all arches done
Please cleanup
GLSA request filed.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ca4b00dd4a33d76ef2696f421ba099d8855e2718 commit ca4b00dd4a33d76ef2696f421ba099d8855e2718 Author: Sebastian Pipping <sping@gentoo.org> AuthorDate: 2021-07-06 12:51:00 +0000 Commit: Sebastian Pipping <sping@gentoo.org> CommitDate: 2021-07-06 12:51:48 +0000 games-board/gnuchess: Drop vulnerable Bug: https://bugs.gentoo.org/780855 Signed-off-by: Sebastian Pipping <sping@gentoo.org> Package-Manager: Portage-3.0.20, Repoman-3.0.3 games-board/gnuchess/Manifest | 1 - games-board/gnuchess/gnuchess-6.2.7.ebuild | 16 ---------------- games-board/gnuchess/gnuchess-6.2.8.ebuild | 17 ----------------- 3 files changed, 34 deletions(-)
Thank you!
This issue was resolved and addressed in GLSA 202107-28 at https://security.gentoo.org/glsa/202107-28 by GLSA coordinator Sam James (sam_c).