Bug#947005: nethack: buffer overflow when parsing config files
Salvatore Bonaccorso
carnil at debian.org
Thu Dec 19 19:38:45 GMT 2019
Control: retitle -1 nethack: CVE-2019-19905: buffer overflow when parsing config files
On Thu, Dec 19, 2019 at 11:57:42AM +0100, Reiner Herrmann wrote:
> Source: nethack
> Version: 3.6.0-1
> Severity: grave
> Tags: security
> X-Debbugs-Cc: team at security.debian.org
>
> Hi,
>
> a new version of NetHack has been released that fixes a privilege
> escalation issue introduced in 3.6.0 [0] [1]:
>
> > A buffer overflow issue exists when reading very long lines from a
> > NetHack configuration file (usually named .nethackrc).
> >
> > This vulnerability affects systems that have NetHack installed suid/sgid
> > and shared systems that allow users to upload their own configuration
> > files.
> >
> > All users are urged to upgrade to NetHack 3.6.4 as soon as possible.
>
> As the Debian packages ship setgid binaries, I think they are affected by it.
>
> At least these two commits look related:
> https://github.com/NetHack/NetHack/commit/f4a840a
> https://github.com/NetHack/NetHack/commit/f001de7
This issue has been assigned CVE-2019-19905 by MITRE.
Regards,
Salvatore
More information about the Pkg-games-devel
mailing list