Some out-of-bound values for the hilite_status option can be exploited. This vulnerability affects systems that have NetHack installed suid/sgid and shared systems that allow users to upload their own configuration files. References: https://github.com/NetHack/NetHack/security/advisories/GHSA-2ch6-6r8h-m2p9 https://github.com/dpmdpm2/CVE-2020-5254 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5254 https://nvd.nist.gov/vuln/detail/CVE-2020-5254 https://security-tracker.debian.org/tracker/CVE-2020-5254 https://bugzilla.redhat.com/show_bug.cgi?id=1812229 Solution: upgrade to 3.6.6
3.6.6 addition: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=99ac822df309e7805ae6c557055f79a3532d06f4 cleanup: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ac2c30327e98c5d15c0fa0e94d11a6cabd997683 Closing because noglsa and tree is clean.