Bug 29026 - gnuchess new security issue CVE-2021-30184
Summary: gnuchess new security issue CVE-2021-30184
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7TOO MGA7-64-OK MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2021-05-29 22:30 CEST by David Walser
Modified: 2021-06-13 23:34 CEST (History)
6 users (show)

See Also:
Source RPM: gnuchess-6.2.7-1.mga8.src.rpm
CVE: CVE-2021-30184
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2021-05-29 22:30:57 CEST 
Fedora has issued an advisory on April 16:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/QC74RWMDLSQGV6Z3ZABNTPABB33S4YNF/

Mageia 7 and Mageia 8 are also affected.
David Walser 2021-05-29 22:31:16 CEST

Whiteboard: (none) => MGA8TOO, MGA7TOO
CC: (none) => geiger.david68210
Status comment: (none) => Patch available from Fedora

Comment 1 Lewis Smith 2021-05-30 20:32:35 CEST 
This SRPM has various committeres, so assigning the bug globally.
DavidG already CC'd.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2021-06-02 14:06:26 CEST 
Suggested advisory:
========================

The updated package fixes a security vulnerability:

GNU Chess 6.2.7 allows attackers to execute arbitrary code via crafted PGN (Portable Game Notation) data. This is related to a buffer overflow in the use of a .tmp.epd temporary file in the cmd_pgnload and cmd_pgnreplay functions in frontend/cmd.cc. (CVE-2021-30184)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30184
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/QC74RWMDLSQGV6Z3ZABNTPABB33S4YNF/
========================

Updated package in 7/core/updates_testing:
========================
gnuchess-6.2.6-1.1.mga7

from SRPM:
gnuchess-6.2.6-1.1.mga7.src.rpm

Updated package in 8/core/updates_testing:
========================
gnuchess-6.2.7-1.1.mga8

from SRPM:
gnuchess-6.2.7-1.1.mga8.src.rpm

Status: NEW => ASSIGNED
CVE: (none) => CVE-2021-30184
CC: (none) => nicolas.salguero
Whiteboard: MGA8TOO, MGA7TOO => MGA7TOO
Status comment: Patch available from Fedora => (none)
Version: Cauldron => 8
Assignee: pkg-bugs => qa-bugs

Comment 3 Hugues Detavernier 2021-06-03 21:59:08 CEST 
Mga 8 x64 KDE

No installation issues.

Name        : gnuchess
Version     : 6.2.7
Release     : 1.1.mga8
Group       : Games/Boards
Size        : 3636222       Architecture: x86_64

Tested with xboard
Name        : xboard
Version     : 4.9.1
Release     : 6.mga8
Group       : Games/Boards
Size        : 4427031       Architecture: x86_64

No problems detected.

CC: (none) => hdetavernier

Comment 4 Thomas Andrews 2021-06-09 01:27:06 CEST 
Mga7-64 Plasma in VirtualBox.

No installation issues. tested with xboard, seemed good.

Giving this two OKs, and validating. Advisory in Comment 2.

Whiteboard: MGA7TOO => MGA7TOO MGA7-64-OK MGA8-64-OK
Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Aurelien Oudelet 2021-06-13 21:51:26 CEST

Keywords: (none) => advisory
CC: (none) => ouaurelien

Comment 5 Mageia Robot 2021-06-13 23:34:39 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0250.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.