Processed: Re: Bug#947005: nethack: buffer overflow when parsing config files
Processing commands for cont...@bugs.debian.org: > tags 947005 pending Bug #947005 [src:nethack] nethack: CVE-2019-19905: buffer overflow when parsing config files Added tag(s) pending. > tags 953978 pending Bug #953978 [src:nethack] nethack: CVE-2020-5254 Added tag(s) pending. > thanks Stopping processing here. Please contact me if you need assistance. -- 947005: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947005 953978: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953978 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#947005: nethack: buffer overflow when parsing config files
Version 3.6.5 has been released, which fixes additional security issues: CVE-2020-5209, CVE-2020-5210, CVE-2020-5211, CVE-2020-5212, CVE-2020-5213, CVE-2020-5214. See also: https://nethack.org/v365/release.html https://www.nethack.org/security/ signature.asc Description: PGP signature
Bug#947005: nethack: buffer overflow when parsing config files
Control: retitle -1 nethack: CVE-2019-19905: buffer overflow when parsing config files On Thu, Dec 19, 2019 at 11:57:42AM +0100, Reiner Herrmann wrote: > Source: nethack > Version: 3.6.0-1 > Severity: grave > Tags: security > X-Debbugs-Cc: t...@security.debian.org > > Hi, > > a new version of NetHack has been released that fixes a privilege > escalation issue introduced in 3.6.0 [0] [1]: > > > A buffer overflow issue exists when reading very long lines from a > > NetHack configuration file (usually named .nethackrc). > > > > This vulnerability affects systems that have NetHack installed suid/sgid > > and shared systems that allow users to upload their own configuration > > files. > > > > All users are urged to upgrade to NetHack 3.6.4 as soon as possible. > > As the Debian packages ship setgid binaries, I think they are affected by it. > > At least these two commits look related: > https://github.com/NetHack/NetHack/commit/f4a840a > https://github.com/NetHack/NetHack/commit/f001de7 This issue has been assigned CVE-2019-19905 by MITRE. Regards, Salvatore
Processed: Re: Bug#947005: nethack: buffer overflow when parsing config files
Processing control commands: > retitle -1 nethack: CVE-2019-19905: buffer overflow when parsing config files Bug #947005 [src:nethack] nethack: buffer overflow when parsing config files Changed Bug title to 'nethack: CVE-2019-19905: buffer overflow when parsing config files' from 'nethack: buffer overflow when parsing config files'. -- 947005: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947005 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#947005: nethack: buffer overflow when parsing config files
Source: nethack Version: 3.6.0-1 Severity: grave Tags: security X-Debbugs-Cc: t...@security.debian.org Hi, a new version of NetHack has been released that fixes a privilege escalation issue introduced in 3.6.0 [0] [1]: > A buffer overflow issue exists when reading very long lines from a > NetHack configuration file (usually named .nethackrc). > > This vulnerability affects systems that have NetHack installed suid/sgid > and shared systems that allow users to upload their own configuration > files. > > All users are urged to upgrade to NetHack 3.6.4 as soon as possible. As the Debian packages ship setgid binaries, I think they are affected by it. At least these two commits look related: https://github.com/NetHack/NetHack/commit/f4a840a https://github.com/NetHack/NetHack/commit/f001de7 Regards, Reiner [0] https://nethack.org/security/index.html [1] https://nethack.org/v364/release.html signature.asc Description: PGP signature