Control: retitle -1 nethack: CVE-2019-19905: buffer overflow when parsing config files
On Thu, Dec 19, 2019 at 11:57:42AM +0100, Reiner Herrmann wrote: > Source: nethack > Version: 3.6.0-1 > Severity: grave > Tags: security > X-Debbugs-Cc: t...@security.debian.org > > Hi, > > a new version of NetHack has been released that fixes a privilege > escalation issue introduced in 3.6.0 [0] [1]: > > > A buffer overflow issue exists when reading very long lines from a > > NetHack configuration file (usually named .nethackrc). > > > > This vulnerability affects systems that have NetHack installed suid/sgid > > and shared systems that allow users to upload their own configuration > > files. > > > > All users are urged to upgrade to NetHack 3.6.4 as soon as possible. > > As the Debian packages ship setgid binaries, I think they are affected by it. > > At least these two commits look related: > https://github.com/NetHack/NetHack/commit/f4a840a > https://github.com/NetHack/NetHack/commit/f001de7 This issue has been assigned CVE-2019-19905 by MITRE. Regards, Salvatore
