Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 703478 (CVE-2019-16787)

Summary: <games-roguelike/nethack-3.6.4: Critical vulnerability in config parsing (CVE-2019-{16787,19905})
Product: Gentoo Security Reporter: Vitaly Ostrosablin <tmp6154>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: games
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: ~3 [noglsa cve]
Package list:
Runtime testing required: ---

Description Vitaly Ostrosablin 2019-12-21 15:28:51 UTC 
CVE-2019-16787 - a buffer overflow issue has been found in NetHack, and all versions, starting with 3.6.0 and up to 3.6.3 (including 3.6.1, which is available from Gentoo repository) are affected by this vulnerability, which, if machine allows .nethackrc files from untrusted parties, could lead to arbitrary code execution.

NetHack DevTeam has patched this vulnerability in 3.6.4 and advises everyone to update to this version. Hence, updating Gentoo ebuild to 3.6.4 should be sufficient to fix issue.

Official statement on this topic from DevTeam can be found there:

https://nethack.org/security/
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-28 20:16:24 UTC 
Closing because noglsa, fixed in 3.6.4 in tree.
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2020-04-07 22:53:16 UTC 
Cleaning up CVE's:
The CVE used here is rejected!
Summary: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2019-19905. Reason: This candidate is a duplicate of CVE-2019-19905. Notes: All CVE users should reference CVE-2019-19905 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.
 Published: 2019-12-20T23:15:00.000Z

Assingin bug to new CVE - Still closed.