Affected versions: 3.4.3 and earlier
First Patched Version: 3.6.0
Malicious use of escaping of characters in the configuration file (usually .nethackrc) can be exploited.
This vulnerability affects systems that have NetHack installed suid/sgid and shared systems that allow users to upload their own configuration files.
The NetHack 3.4 series (including 3.4.3) is no longer supported. Users are encouraged to upgrade to the current version as soon as possible. Anyone responsible for maintaining a 3.4 codebase should consider NetHack 3.6.0 commit 612755b.
Additional information related to this advisory, if any, will be made available at https://nethack.org/security.
08-Mar-2020 CVE-2020-5253 information referring to the issue in the unsupported 3.4.3 version.
03-Mar-2020 Bug reported by David Mendenhall.
07-Dec-2015 Fix for issue included in the 3.6.0 first public release since 2003.
05-Aug-2011 The NetHack Development Team responded to Matthew Daley via email.
03-Aug-2011 Email received from Matthew Daley by the NetHack Development Team and the admin of nethack.alt.org admin advising of the issue.
The NetHack Development Team would also like to acknowledge an
earlier report of this same issue on August 3, 2011 by Matthew Daley
in an email.
Hosted courtesy of alt.org.
NetHack is Copyright 1985-2020 by Stichting Mathematisch Centrum
and M. Stephenson. See
our license for details.
This site is Copyright 1999-2020 by Kenneth Lorber, Kensington, Maryland.