CVE-2021-30184 – CVE-2021-30184 is a buffer overflow vulnerabili... (How to Fix)

Q: What is the severity of CVE-2021-30184?

CVE-2021-30184 has a CVSS score of 7.8 (HIGH). CVE-2021-30184 is a buffer overflow vulnerability in GNU Chess 6.2.7 that allows attackers to execute arbitrary code by providing malicious PGN (Portable Game Notation) data. This affects users who process untrusted PGN files with vulnerable versions of GNU Chess, potentially leading to complete system compromise.

📋 TL;DR

CVE-2021-30184 is a buffer overflow vulnerability in GNU Chess 6.2.7 that allows attackers to execute arbitrary code by providing malicious PGN (Portable Game Notation) data. This affects users who process untrusted PGN files with vulnerable versions of GNU Chess, potentially leading to complete system compromise.

💻 Affected Systems

Products:

GNU Chess

Versions: 6.2.7 specifically (and potentially earlier versions with same code)

Operating Systems: Linux, Unix-like systems

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability triggers when processing PGN files via cmd_pgnload or cmd_pgnreplay functions

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with full system compromise, allowing attackers to install malware, steal data, or pivot to other systems.

🟠

Likely Case

Local privilege escalation or denial of service when processing malicious PGN files from untrusted sources.

🟢

If Mitigated

Limited impact if systems don't process untrusted PGN files or have proper input validation in place.

🌐 Internet-Facing: LOW (GNU Chess is typically not exposed to internet-facing services)

🏢 Internal Only: MEDIUM (Risk exists if processing untrusted PGN files internally)

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires crafting malicious PGN files and getting them processed by vulnerable GNU Chess instances

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.2.8 or later

Vendor Advisory: https://lists.gnu.org/archive/html/bug-gnu-chess/2021-04/msg00000.html

Restart Required: No

Instructions:

1. Update GNU Chess to version 6.2.8 or later using your distribution's package manager. 2. For Fedora/RHEL: 'sudo dnf update gnushogi'. 3. For Debian/Ubuntu: 'sudo apt update && sudo apt upgrade gnushogi'. 4. Verify installation with 'gnushogi --version'.

🔧 Temporary Workarounds

Restrict PGN file processing

all

Avoid processing untrusted PGN files with GNU Chess

Remove vulnerable version

linux

Uninstall GNU Chess 6.2.7 if not needed

sudo apt remove gnushogi
sudo dnf remove gnushogi
sudo yum remove gnushogi

🧯 If You Can't Patch

Implement strict input validation for PGN files before processing
Run GNU Chess in sandboxed/containerized environments with limited privileges

🔍 How to Verify

Check if Vulnerable:

Check GNU Chess version: 'gnushogi --version' or 'rpm -q gnushogi' or 'dpkg -l | grep gnushogi'

Check Version:

gnushogi --version

Verify Fix Applied:

Confirm version is 6.2.8 or later: 'gnushogi --version' should show 6.2.8+

📡 Detection & Monitoring

Log Indicators:

Segmentation faults or abnormal termination of GNU Chess processes
Unexpected file operations in /tmp directory

Network Indicators:

Unusual outbound connections from GNU Chess processes

SIEM Query:

process_name:"gnushogi" AND (event_type:"segfault" OR exit_code:139)

📊 Metadata

CVE ID: CVE-2021-30184

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-120

Published: April 7, 2021

Last Updated: January 12, 2025

🔗 References

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QC74RWMDLSQGV6Z3ZABNTPABB33S4YNF/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SOGPLC77ZL2FACSOE5MWDS3YH3RBNQAQ/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XXOTMUSBVUZNA3JMPG6BU37DQW2YOJWS/
https://lists.gnu.org/archive/html/bug-gnu-chess/2021-04/msg00000.html Exploit,Mailing List,Patch,Vendor Advisory
https://lists.gnu.org/archive/html/bug-gnu-chess/2021-04/msg00001.html Exploit,Mailing List,Vendor Advisory
https://security.gentoo.org/glsa/202107-28 Third Party Advisory
https://lists.debian.org/debian-lts-announce/2025/01/msg00007.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QC74RWMDLSQGV6Z3ZABNTPABB33S4YNF/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SOGPLC77ZL2FACSOE5MWDS3YH3RBNQAQ/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XXOTMUSBVUZNA3JMPG6BU37DQW2YOJWS/
https://lists.gnu.org/archive/html/bug-gnu-chess/2021-04/msg00000.html Exploit,Mailing List,Patch,Vendor Advisory
https://lists.gnu.org/archive/html/bug-gnu-chess/2021-04/msg00001.html Exploit,Mailing List,Vendor Advisory
https://security.gentoo.org/glsa/202107-28 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-30184, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Chess by Gnu

Fedora by Fedoraproject

Fedora by Fedoraproject

Fedora by Fedoraproject

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict PGN file processing

Remove vulnerable version

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities