![]() |
|
Message-ID: <5147e375-7b26-a93d-b052-85cd8222c9fa@pipping.org> Date: Mon, 14 Nov 2016 19:58:01 +0100 From: Sebastian Pipping <sebastian@...ping.org> To: oss-security@...ts.openwall.com Cc: Antonio Ceballos <aceballos@...il.com> Subject: Re: Re: CVE needed? / gnuchess 6.2.4 fixed user input buffer overflow Thanks for pointing to -u / UCI mode. I guess it does make sense to request/assign a CVE then. The initial report seems to be by Antti Karjalainen at http://lists.gnu.org/archive/html/bug-gnu-chess/2015-10/msg00002.html . Best, Sebastian On 14.11.2016 10:42, cve-assign@...re.org wrote: > The reference for this bug is: > > http://svn.savannah.gnu.org/viewvc?view=rev&root=chess&revision=134 > >> may need some other application in front (e.g. a website >> using gnuchess for a backend or some mobile/desktop application >> forwarding evil input to gnuchess with improper validation) to attack. > > Is it vulnerable without such an application if launched as > "gnuchess -u" (UCI mode)? For example, is it taking untrusted input of > 4096 characters and sending it to the ValidateMove function that is > expecting 128? > > > #define BUF_SIZE 4096 > > #define MAXSTR 128 > > > if ( flags & UCI ) > ... > NextEngineCmd(); > ... > ReadFromEngine(); > > > static char engineinputbuf[BUF_SIZE]=""; > > > nread = read( pipefd_a2f[0], engineinputaux, BUF_SIZE ); > strcat( engineinputbuf, engineinputaux ); > > > char enginemovestr[BUF_SIZE]=""; > enginemove = ValidateMove( enginemovestr ); > >
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.