bug#47729: CVE-2021-30184 Arbitrary code execution in GNU Chess [security]

bug#47729: CVE-2021-30184 Arbitrary code execution in GNU Chess [security]

[Maxime Devos]

[-- Attachment #1: Type: text/plain, Size: 756 bytes --]

From https://nvd.nist.gov/vuln/detail/CVE-2021-30184:

GNU Chess 6.2.7 allows attackers to execute arbitrary code via crafted PGN
(Portable Game Notation) data. This is related to a buffer overflow in the use
of a .tmp.epd temporary file in the cmd_pgnload and cmd_pgnreplay functions in
frontend/cmd.cc.

Upstream bug report and patch:
https://lists.gnu.org/archive/html/bug-gnu-chess/2021-04/msg00000.html

Upstream is aware of this issue and patch.  The patch is being reviewed upstream:

Response by Antonio Ceballos (<https://lists.gnu.org/archive/html/bug-gnu-chess/2021-04/msg00001.html>)
‘We will review it all in detail for a future release fixing the problem.’

I believe we should simply wait for upstream to make a release.

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 260 bytes --]

bug#47729: Fixed: CVE-2021-30184 Arbitrary code execution in GNU Chess [security]

[Maxime Devos]

Fixed with https://git.savannah.gnu.org/cgit/guix.git/commit/?id=9a11f2380ff49756ace2f33bc96a88cdb6af5453.