---

CVE-2020-5209

(This information may be updated from time to time.)

NetHack command line parsing of options starting with -de and -i is subject to a buffer overflow

Severity: High
Affected versions: 3.6.0, 3.6.1, 3.6.2, 3.6.3, 3.6.4
First Patched Version: 3.6.5
Git commit(s): f3def5c0b999478da2d0a8f0b6a7c370a2065f77

Basic Information:
Unknown options starting with -de and -i can cause a buffer overflow resulting in a crash or remote code execution/privilege escalation.

This vulnerability affects systems that have NetHack installed suid/sgid and shared systems that allow users to upload their own configuration files.

All users are urged to upgrade to NetHack 3.6.5 as soon as possible.

Additional information related to this advisory, if any, will be made available at https://nethack.org/security.

---

Timeline:
27-Jan-2020 NetHack 3.6.5 released with fix.
15-Jan-2020 Bug reported.

---

Acknowledgements:
The NetHack Development Team gratefully acknowledges security researcher David Mendenhall for discovering this issue and for responsibly reporting it.

---

Revision History:
27-Jan-2020 Initial Version.