Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <22143afd-005a-6fff-2c75-f5e74c2b92fe@pipping.org>
Date: Sun, 13 Nov 2016 16:28:19 +0100
From: Sebastian Pipping <sebastian@...ping.org>
To: oss-security@...ts.openwall.com
Cc: Antonio Ceballos <aceballos@...il.com>
Subject: CVE needed? / gnuchess 6.2.4 fixed user input buffer overflow

Hi there!


gnuchess 6.2.4 fixed a stack buffer overflow related to user move input,
i.e. 160 characters input can crash unpatched gnuchess 6.2.3.

I am unsure if this can be used to execute arbitrary code and if it
needs a CVE or not: gnuchess itself does not seem to accept input from a
file so it may need some other application in front (e.g. a website
using gnuchess for a backend or some mobile/desktop application
forwarding evil input to gnuchess with improper validation) to attack.

The patch in 6.2.4 is this, content from s goes into mvstr later:


# diff -u4 gnuchess-6.2.3/src/frontend/move.cc
gnuchess-6.2.4/src/frontend/move.cc
--- gnuchess-6.2.3/src/frontend/move.cc        2015-01-01
23:57:25.000000000 +0100
+++ gnuchess-6.2.4/src/frontend/move.cc        2016-09-20
01:12:35.000000000 +0200
@@ -541,8 +541,13 @@
    char mvstr[MAXSTR], *p;
    BitBoard b, b2;
    leaf *n1, *n2;

+   /* User input could be longer than MAXSTR */
+   if ( strlen(s) >= MAXSTR ) {
+      s[MAXSTR-1] = '\0';
+   }
+
    TreePtr[2] = TreePtr[1];
    GenMoves (1);
    FilterIllegalMoves (1);
    side = board.side;


Thanks and best



Sebastian

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.