Debian Bug report logs -
#947005
nethack: CVE-2019-19905: buffer overflow when parsing config files
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Games Team <pkg-games-devel@lists.alioth.debian.org>
:
Bug#947005
; Package src:nethack
.
(Thu, 19 Dec 2019 11:00:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Reiner Herrmann <reiner@reiner-h.de>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Games Team <pkg-games-devel@lists.alioth.debian.org>
.
(Thu, 19 Dec 2019 11:00:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Source: nethack
Version: 3.6.0-1
Severity: grave
Tags: security
X-Debbugs-Cc: team@security.debian.org
Hi,
a new version of NetHack has been released that fixes a privilege
escalation issue introduced in 3.6.0 [0] [1]:
> A buffer overflow issue exists when reading very long lines from a
> NetHack configuration file (usually named .nethackrc).
>
> This vulnerability affects systems that have NetHack installed suid/sgid
> and shared systems that allow users to upload their own configuration
> files.
>
> All users are urged to upgrade to NetHack 3.6.4 as soon as possible.
As the Debian packages ship setgid binaries, I think they are affected by it.
At least these two commits look related:
https://github.com/NetHack/NetHack/commit/f4a840a
https://github.com/NetHack/NetHack/commit/f001de7
Regards,
Reiner
[0] https://nethack.org/security/index.html
[1] https://nethack.org/v364/release.html
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Games Team <pkg-games-devel@lists.alioth.debian.org>
:
Bug#947005
; Package src:nethack
.
(Thu, 19 Dec 2019 19:39:11 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Games Team <pkg-games-devel@lists.alioth.debian.org>
.
(Thu, 19 Dec 2019 19:39:11 GMT) (full text, mbox, link).
Message #10 received at 947005@bugs.debian.org (full text, mbox, reply):
Control: retitle -1 nethack: CVE-2019-19905: buffer overflow when parsing config files
On Thu, Dec 19, 2019 at 11:57:42AM +0100, Reiner Herrmann wrote:
> Source: nethack
> Version: 3.6.0-1
> Severity: grave
> Tags: security
> X-Debbugs-Cc: team@security.debian.org
>
> Hi,
>
> a new version of NetHack has been released that fixes a privilege
> escalation issue introduced in 3.6.0 [0] [1]:
>
> > A buffer overflow issue exists when reading very long lines from a
> > NetHack configuration file (usually named .nethackrc).
> >
> > This vulnerability affects systems that have NetHack installed suid/sgid
> > and shared systems that allow users to upload their own configuration
> > files.
> >
> > All users are urged to upgrade to NetHack 3.6.4 as soon as possible.
>
> As the Debian packages ship setgid binaries, I think they are affected by it.
>
> At least these two commits look related:
> https://github.com/NetHack/NetHack/commit/f4a840a
> https://github.com/NetHack/NetHack/commit/f001de7
This issue has been assigned CVE-2019-19905 by MITRE.
Regards,
Salvatore
Changed Bug title to 'nethack: CVE-2019-19905: buffer overflow when parsing config files' from 'nethack: buffer overflow when parsing config files'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 947005-submit@bugs.debian.org
.
(Thu, 19 Dec 2019 19:39:11 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Fri Dec 20 09:08:57 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.