Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 706200 (CVE-2019-19905) - <games-roguelike/nethack-3.6.4: buffer overflow when reading long lines from a NetHack configuration file (CVE-2019-19905)
Summary: <games-roguelike/nethack-3.6.4: buffer overflow when reading long lines from ...
Status: RESOLVED FIXED
Alias: CVE-2019-19905
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://nethack.org/security/index.html
Whiteboard: ~2 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-01-23 21:28 UTC by GLSAMaker/CVETool Bot
Modified: 2020-03-28 20:17 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2020-01-23 21:28:53 UTC
Incoming details.
Comment 1 Thomas Deutschmann gentoo-dev Security 2020-01-23 21:30:04 UTC
From $URL:

NetHack: Privilege escalation/remote code execution/crash in configuration parsing

Severity: High
Affected versions: 3.6.0, 3.6.1, 3.6.2, 3.6.3
First Patched Version: 3.6.4

CVE-2019-19905

Basic Information:
A buffer overflow issue exists when reading very long lines from a NetHack configuration file (usually named .nethackrc).

This vulnerability affects systems that have NetHack installed suid/sgid and shared systems that allow users to upload their own configuration files.

All users are urged to upgrade to NetHack 3.6.4 as soon as possible.

Additional information related to this advisory, if any, will be made available at https://nethack.org/security.

Timeline:
18-Dec-2019 NetHack 3.6.4 released with fix.
13-Dec-2019 Bug reported.
Comment 2 Larry the Git Cow gentoo-dev 2020-01-25 10:56:30 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2ed9103effd31e645b9405b52507cb88aaa7ef6d

commit 2ed9103effd31e645b9405b52507cb88aaa7ef6d
Author:     Stefan Strogin <steils@gentoo.org>
AuthorDate: 2020-01-25 10:54:46 +0000
Commit:     Stefan Strogin <steils@gentoo.org>
CommitDate: 2020-01-25 10:55:56 +0000

    games-roguelike/nethack: version bump to 3.6.4
    
    Bug: https://bugs.gentoo.org/706200
    Package-Manager: Portage-2.3.85, Repoman-2.3.20
    Signed-off-by: Stefan Strogin <steils@gentoo.org>

 games-roguelike/nethack/Manifest             |   1 +
 games-roguelike/nethack/nethack-3.6.4.ebuild | 129 +++++++++++++++++++++++++++
 2 files changed, 130 insertions(+)
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2020-01-27 12:38:19 UTC
(In reply to Larry the Git Cow from comment #2)
> The bug has been referenced in the following commit(s):
> 
> https://gitweb.gentoo.org/repo/gentoo.git/commit/
> ?id=2ed9103effd31e645b9405b52507cb88aaa7ef6d
> 
> commit 2ed9103effd31e645b9405b52507cb88aaa7ef6d
> Author:     Stefan Strogin <steils@gentoo.org>
> AuthorDate: 2020-01-25 10:54:46 +0000
> Commit:     Stefan Strogin <steils@gentoo.org>
> CommitDate: 2020-01-25 10:55:56 +0000
> 
>     games-roguelike/nethack: version bump to 3.6.4
>     
>     Bug: https://bugs.gentoo.org/706200
>     Package-Manager: Portage-2.3.85, Repoman-2.3.20
>     Signed-off-by: Stefan Strogin <steils@gentoo.org>
> 
>  games-roguelike/nethack/Manifest             |   1 +
>  games-roguelike/nethack/nethack-3.6.4.ebuild | 129
> +++++++++++++++++++++++++++
>  2 files changed, 130 insertions(+)

You should probably remove the vulnerable versions, too, as no keyword changes are necessary.
Comment 4 Larry the Git Cow gentoo-dev 2020-01-28 20:55:05 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=53d5d5bd85451baa1484b39a9861514e07f12c75

commit 53d5d5bd85451baa1484b39a9861514e07f12c75
Author:     Stefan Strogin <steils@gentoo.org>
AuthorDate: 2020-01-28 20:53:13 +0000
Commit:     Stefan Strogin <steils@gentoo.org>
CommitDate: 2020-01-28 20:54:28 +0000

    games-roguelike/nethack: drop old and vulnerable 3.6.1, 3.6.3
    
    Bug: https://bugs.gentoo.org/706200
    Package-Manager: Portage-2.3.85, Repoman-2.3.20
    Signed-off-by: Stefan Strogin <steils@gentoo.org>

 games-roguelike/nethack/Manifest                   |   2 -
 .../nethack/files/nethack-3.6.0-hint-tty           |  19 ---
 .../nethack/files/nethack-3.6.0-hint-x11           |  23 ----
 .../nethack/files/nethack-3.6.1-recover.patch      | 115 ------------------
 games-roguelike/nethack/nethack-3.6.1.ebuild       | 128 --------------------
 games-roguelike/nethack/nethack-3.6.3.ebuild       | 129 ---------------------
 6 files changed, 416 deletions(-)
Comment 5 Sam James archtester gentoo-dev Security 2020-03-28 20:17:05 UTC
Closing because tree is clean.