Source: nethack Version: 3.6.0-1 Severity: grave Tags: security X-Debbugs-Cc: t...@security.debian.org
Hi, a new version of NetHack has been released that fixes a privilege escalation issue introduced in 3.6.0 [0] [1]: > A buffer overflow issue exists when reading very long lines from a > NetHack configuration file (usually named .nethackrc). > > This vulnerability affects systems that have NetHack installed suid/sgid > and shared systems that allow users to upload their own configuration > files. > > All users are urged to upgrade to NetHack 3.6.4 as soon as possible. As the Debian packages ship setgid binaries, I think they are affected by it. At least these two commits look related: https://github.com/NetHack/NetHack/commit/f4a840a https://github.com/NetHack/NetHack/commit/f001de7 Regards, Reiner [0] https://nethack.org/security/index.html [1] https://nethack.org/v364/release.html
signature.asc
Description: PGP signature