Comment 1 Thomas Deutschmann (RETIRED) 2020-01-23 21:30:04 UTC

From $URL:

NetHack: Privilege escalation/remote code execution/crash in configuration parsing

Severity: High
Affected versions: 3.6.0, 3.6.1, 3.6.2, 3.6.3
First Patched Version: 3.6.4

CVE-2019-19905

Basic Information:
A buffer overflow issue exists when reading very long lines from a NetHack configuration file (usually named .nethackrc).

This vulnerability affects systems that have NetHack installed suid/sgid and shared systems that allow users to upload their own configuration files.

All users are urged to upgrade to NetHack 3.6.4 as soon as possible.

Additional information related to this advisory, if any, will be made available at https://nethack.org/security.

Timeline:
18-Dec-2019 NetHack 3.6.4 released with fix.
13-Dec-2019 Bug reported.

Comment 2 Larry the Git Cow 2020-01-25 10:56:30 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2ed9103effd31e645b9405b52507cb88aaa7ef6d

commit 2ed9103effd31e645b9405b52507cb88aaa7ef6d
Author:     Stefan Strogin <steils@gentoo.org>
AuthorDate: 2020-01-25 10:54:46 +0000
Commit:     Stefan Strogin <steils@gentoo.org>
CommitDate: 2020-01-25 10:55:56 +0000

    games-roguelike/nethack: version bump to 3.6.4
    
    Bug: https://bugs.gentoo.org/706200
    Package-Manager: Portage-2.3.85, Repoman-2.3.20
    Signed-off-by: Stefan Strogin <steils@gentoo.org>

 games-roguelike/nethack/Manifest             |   1 +
 games-roguelike/nethack/nethack-3.6.4.ebuild | 129 +++++++++++++++++++++++++++
 2 files changed, 130 insertions(+)

Comment 3 Jeroen Roovers (RETIRED) 2020-01-27 12:38:19 UTC

(In reply to Larry the Git Cow from comment #2)
> The bug has been referenced in the following commit(s):
> 
> https://gitweb.gentoo.org/repo/gentoo.git/commit/
> ?id=2ed9103effd31e645b9405b52507cb88aaa7ef6d
> 
> commit 2ed9103effd31e645b9405b52507cb88aaa7ef6d
> Author:     Stefan Strogin <steils@gentoo.org>
> AuthorDate: 2020-01-25 10:54:46 +0000
> Commit:     Stefan Strogin <steils@gentoo.org>
> CommitDate: 2020-01-25 10:55:56 +0000
> 
>     games-roguelike/nethack: version bump to 3.6.4
>     
>     Bug: https://bugs.gentoo.org/706200
>     Package-Manager: Portage-2.3.85, Repoman-2.3.20
>     Signed-off-by: Stefan Strogin <steils@gentoo.org>
> 
>  games-roguelike/nethack/Manifest             |   1 +
>  games-roguelike/nethack/nethack-3.6.4.ebuild | 129
> +++++++++++++++++++++++++++
>  2 files changed, 130 insertions(+)

You should probably remove the vulnerable versions, too, as no keyword changes are necessary.

Comment 4 Larry the Git Cow 2020-01-28 20:55:05 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=53d5d5bd85451baa1484b39a9861514e07f12c75

commit 53d5d5bd85451baa1484b39a9861514e07f12c75
Author:     Stefan Strogin <steils@gentoo.org>
AuthorDate: 2020-01-28 20:53:13 +0000
Commit:     Stefan Strogin <steils@gentoo.org>
CommitDate: 2020-01-28 20:54:28 +0000

    games-roguelike/nethack: drop old and vulnerable 3.6.1, 3.6.3
    
    Bug: https://bugs.gentoo.org/706200
    Package-Manager: Portage-2.3.85, Repoman-2.3.20
    Signed-off-by: Stefan Strogin <steils@gentoo.org>

 games-roguelike/nethack/Manifest                   |   2 -
 .../nethack/files/nethack-3.6.0-hint-tty           |  19 ---
 .../nethack/files/nethack-3.6.0-hint-x11           |  23 ----
 .../nethack/files/nethack-3.6.1-recover.patch      | 115 ------------------
 games-roguelike/nethack/nethack-3.6.1.ebuild       | 128 --------------------
 games-roguelike/nethack/nethack-3.6.3.ebuild       | 129 ---------------------
 6 files changed, 416 deletions(-)

Comment 5 Sam James 2020-03-28 20:17:05 UTC

Closing because tree is clean.