Bug 707110 (CVE-2020-5209, CVE-2020-5210, CVE-2020-5211, CVE-2020-5212, CVE-2020-5213, CVE-2020-5214)

Summary:	<games-roguelike/nethack-3.6.6: Multiple vulnerabilities (CVE-2020-{5209,5210,5211,5212,5213, 5214})
Product:	Gentoo Security	Reporter:	Jeroen Roovers (RETIRED) <jer>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	trivial	CC:	games
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
See Also:	https://bugs.gentoo.org/show_bug.cgi?id=712128
Whiteboard:	~2 [noglsa cve]
Package list:		Runtime testing required:	---

Description Jeroen Roovers (RETIRED) gentoo-dev

2020-01-29 16:04:06 UTC

CVE-2020-5214	Error recovery after syntax error in configuration file is subject to a buffer overflow
CVE-2020-5213	SYMBOL configuration file option is subject to a buffer overflow
CVE-2020-5212	MENUCOLOR configuration file option is subject to a buffer overflow
CVE-2020-5211	AUTOCOMPLETE configuration file option is subject to a buffer overflow
CVE-2020-5210	NetHack command line -w option parsing is subject to a buffer overflow
CVE-2020-5209	Command line parsing of options starting with -de and -i is subject to a buffer overflow
CVE-2019-19905	Privilege escalation/remote code execution/crash in configuration parsing

Comment 1 Jeroen Roovers (RETIRED) gentoo-dev

2020-01-29 16:10:29 UTC

That's six vulnerabilities because 3.6.4 supposedly fixed CVE-2019-19905 according to bug #706200.

Comment 2 Sam James archtester

2020-03-28 20:17:56 UTC

@maintainer(s), please create an appropriate ebuild

Comment 3 Sam James archtester

2020-03-30 15:05:19 UTC

3.6.6 addition: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=99ac822df309e7805ae6c557055f79a3532d06f4

cleanup: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ac2c30327e98c5d15c0fa0e94d11a6cabd997683

Closing because noglsa and tree is clean.