Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sun, 13 Nov 2016 16:28:19 +0100
From: Sebastian Pipping <sebastian@...ping.org>
To: oss-security@...ts.openwall.com
Cc: Antonio Ceballos <aceballos@...il.com>
Subject: CVE needed? / gnuchess 6.2.4 fixed user input buffer overflow

Hi there!


gnuchess 6.2.4 fixed a stack buffer overflow related to user move input,
i.e. 160 characters input can crash unpatched gnuchess 6.2.3.

I am unsure if this can be used to execute arbitrary code and if it
needs a CVE or not: gnuchess itself does not seem to accept input from a
file so it may need some other application in front (e.g. a website
using gnuchess for a backend or some mobile/desktop application
forwarding evil input to gnuchess with improper validation) to attack.

The patch in 6.2.4 is this, content from s goes into mvstr later:


# diff -u4 gnuchess-6.2.3/src/frontend/move.cc
gnuchess-6.2.4/src/frontend/move.cc
--- gnuchess-6.2.3/src/frontend/move.cc        2015-01-01
23:57:25.000000000 +0100
+++ gnuchess-6.2.4/src/frontend/move.cc        2016-09-20
01:12:35.000000000 +0200
@@ -541,8 +541,13 @@
    char mvstr[MAXSTR], *p;
    BitBoard b, b2;
    leaf *n1, *n2;

+   /* User input could be longer than MAXSTR */
+   if ( strlen(s) >= MAXSTR ) {
+      s[MAXSTR-1] = '\0';
+   }
+
    TreePtr[2] = TreePtr[1];
    GenMoves (1);
    FilterIllegalMoves (1);
    side = board.side;


Thanks and best



Sebastian

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ