CVE-2020-5211

(This information may be updated from time to time.)

NetHack AUTOCOMPLETE configuration file option is subject to a buffer overflow

Severity: High
Affected versions: 3.6.0, 3.6.1, 3.6.2, 3.6.3, 3.6.4
First Patched Version: 3.6.5
Git commit(s): cdc598e8bdf725eb79265ff9e0e16ae779046b09

Basic Information:
Invalid extended command in value for the AUTOCOMPLETE configuration file option can cause a buffer overflow resulting in a crash or remote code execution/privilege escalation.

This vulnerability affects systems that have NetHack installed suid/sgid and shared systems that allow users to upload their own configuration files.

All users are urged to upgrade to NetHack 3.6.5 as soon as possible.

Additional information related to this advisory, if any, will be made available at https://nethack.org/security.


Timeline:
27-Jan-2020 NetHack 3.6.5 released with fix.
12-Jan-2020 Bug reported.


Acknowledgements:
The NetHack Development Team gratefully acknowledges security researcher David Mendenhall for discovering this issue and for responsibly reporting it.
Revision History:
27-Jan-2020 Initial Version.

About
Known Bug List
Version 3.6.6
License
Known Bug Search
Archive
Policies
Site Map
Old News
Security Issues
Developer Resources
Old Versions
Contact Us

Hosted courtesy of alt.org.

NetHack is Copyright 1985-2020 by Stichting Mathematisch Centrum and M. Stephenson. See our license for details.
This site is Copyright 1999-2020 by Kenneth Lorber, Kensington, Maryland.