CVE-2023-24809

NetHack: NetHack Call command buffer overflow

Severity: High
Affected versions: 3.6.2 through 3.6.6
First Patched Version: 3.6.7

Basic Information:
Using the Call (C) command with a very long string can cause a buffer overflow.

This vulnerability may be a security issue for systems that have NetHack installed suid/sgid and for shared systems. For all systems, it may result in a process crash.

Users are encouraged to upgrade as soon as possible.

Additional information related to this advisory, if any, will be made available at https://nethack.org/security.

Timeline:
16-Feb-2023 Fixed version 3.6.7 released.
01-Jan-2023 Bug reported.

Acknowledgements:
The NetHack Development Team gratefully acknowledges Keith Simpson for discovering this issue and for responsibly reporting it.
Revision History:
16-Feb-2023 Initial Version.

About
Known Bug List
Version 3.6.7
License
Known Bug Search
Archive
Policies
Site Map
Old News
Security Issues
Developer Resources
Old Versions
Contact Us

Hosted courtesy of alt.org.

NetHack is Copyright 1985-2023 by Stichting Mathematisch Centrum and M. Stephenson. See our license for details.
This site is Copyright 1999-2023 by Kenneth Lorber, Kensington, Maryland.