Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 14 Nov 2016 19:58:01 +0100
From: Sebastian Pipping <sebastian@...ping.org>
To: oss-security@...ts.openwall.com
Cc: Antonio Ceballos <aceballos@...il.com>
Subject: Re: Re: CVE needed? / gnuchess 6.2.4 fixed user input
 buffer overflow

Thanks for pointing to -u / UCI mode.

I guess it does make sense to request/assign a CVE then.

The initial report seems to be by Antti Karjalainen at
http://lists.gnu.org/archive/html/bug-gnu-chess/2015-10/msg00002.html .

Best, Sebastian


On 14.11.2016 10:42, cve-assign@...re.org wrote:
> The reference for this bug is:
> 
>   http://svn.savannah.gnu.org/viewvc?view=rev&root=chess&revision=134
> 
>> may need some other application in front (e.g. a website
>> using gnuchess for a backend or some mobile/desktop application
>> forwarding evil input to gnuchess with improper validation) to attack.
> 
> Is it vulnerable without such an application if launched as
> "gnuchess -u" (UCI mode)? For example, is it taking untrusted input of
> 4096 characters and sending it to the ValidateMove function that is
> expecting 128?
> 
> 
>   #define BUF_SIZE 4096
> 
>   #define MAXSTR 128
> 
> 
>   if ( flags & UCI )
>   ...
>   NextEngineCmd();
>   ...
>   ReadFromEngine();
> 
> 
>   static char engineinputbuf[BUF_SIZE]="";
> 
> 
>   nread = read( pipefd_a2f[0], engineinputaux, BUF_SIZE );
>   strcat( engineinputbuf, engineinputaux );
> 
> 
>   char enginemovestr[BUF_SIZE]="";
>   enginemove = ValidateMove( enginemovestr );
> 
>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.