Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Games Team <pkg-games-devel@lists.alioth.debian.org>: Bug#947005; Package src:nethack.
(Thu, 19 Dec 2019 11:00:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Reiner Herrmann <reiner@reiner-h.de>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Games Team <pkg-games-devel@lists.alioth.debian.org>.
(Thu, 19 Dec 2019 11:00:05 GMT) (full text, mbox, link).
Source: nethack
Version: 3.6.0-1
Severity: grave
Tags: security
X-Debbugs-Cc: team@security.debian.org
Hi,
a new version of NetHack has been released that fixes a privilege
escalation issue introduced in 3.6.0 [0] [1]:
> A buffer overflow issue exists when reading very long lines from a
> NetHack configuration file (usually named .nethackrc).
>
> This vulnerability affects systems that have NetHack installed suid/sgid
> and shared systems that allow users to upload their own configuration
> files.
>
> All users are urged to upgrade to NetHack 3.6.4 as soon as possible.
As the Debian packages ship setgid binaries, I think they are affected by it.
At least these two commits look related:
https://github.com/NetHack/NetHack/commit/f4a840ahttps://github.com/NetHack/NetHack/commit/f001de7
Regards,
Reiner
[0] https://nethack.org/security/index.html
[1] https://nethack.org/v364/release.html
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Games Team <pkg-games-devel@lists.alioth.debian.org>: Bug#947005; Package src:nethack.
(Thu, 19 Dec 2019 19:39:11 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Games Team <pkg-games-devel@lists.alioth.debian.org>.
(Thu, 19 Dec 2019 19:39:11 GMT) (full text, mbox, link).
To: Reiner Herrmann <reiner@reiner-h.de>, 947005@bugs.debian.org
Cc: nethack-bugs@nethack.org
Subject: Re: Bug#947005: nethack: buffer overflow when parsing config files
Date: Thu, 19 Dec 2019 20:38:45 +0100
Control: retitle -1 nethack: CVE-2019-19905: buffer overflow when parsing config files
On Thu, Dec 19, 2019 at 11:57:42AM +0100, Reiner Herrmann wrote:
> Source: nethack
> Version: 3.6.0-1
> Severity: grave
> Tags: security
> X-Debbugs-Cc: team@security.debian.org
>
> Hi,
>
> a new version of NetHack has been released that fixes a privilege
> escalation issue introduced in 3.6.0 [0] [1]:
>
> > A buffer overflow issue exists when reading very long lines from a
> > NetHack configuration file (usually named .nethackrc).
> >
> > This vulnerability affects systems that have NetHack installed suid/sgid
> > and shared systems that allow users to upload their own configuration
> > files.
> >
> > All users are urged to upgrade to NetHack 3.6.4 as soon as possible.
>
> As the Debian packages ship setgid binaries, I think they are affected by it.
>
> At least these two commits look related:
> https://github.com/NetHack/NetHack/commit/f4a840a
> https://github.com/NetHack/NetHack/commit/f001de7
This issue has been assigned CVE-2019-19905 by MITRE.
Regards,
Salvatore
Changed Bug title to 'nethack: CVE-2019-19905: buffer overflow when parsing config files' from 'nethack: buffer overflow when parsing config files'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 947005-submit@bugs.debian.org.
(Thu, 19 Dec 2019 19:39:11 GMT) (full text, mbox, link).
Added tag(s) fixed-upstream.
Request was from Adrian Bunk <bunk@debian.org>
to control@bugs.debian.org.
(Fri, 31 Jan 2020 20:27:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Games Team <pkg-games-devel@lists.alioth.debian.org>: Bug#947005; Package src:nethack.
(Sun, 02 Feb 2020 13:18:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Reiner Herrmann <reiner@reiner-h.de>:
Extra info received and forwarded to list. Copy sent to Debian Games Team <pkg-games-devel@lists.alioth.debian.org>.
(Sun, 02 Feb 2020 13:18:02 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from Markus Koschany <apo@debian.org>
to control@bugs.debian.org.
(Sun, 31 May 2020 14:36:07 GMT) (full text, mbox, link).
Reply sent
to Markus Koschany <apo@debian.org>:
You have taken responsibility.
(Sun, 31 May 2020 17:51:03 GMT) (full text, mbox, link).
Notification sent
to Reiner Herrmann <reiner@reiner-h.de>:
Bug acknowledged by developer.
(Sun, 31 May 2020 17:51:03 GMT) (full text, mbox, link).
Source: nethack
Source-Version: 3.6.6-1
Done: Markus Koschany <apo@debian.org>
We believe that the bug you reported is fixed in the latest version of
nethack, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 947005@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Markus Koschany <apo@debian.org> (supplier of updated nethack package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 31 May 2020 18:57:45 +0200
Source: nethack
Architecture: source
Version: 3.6.6-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Games Team <pkg-games-devel@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Closes: 947005953978957598
Changes:
nethack (3.6.6-1) unstable; urgency=medium
.
* Team upload.
.
[ Reiner Herrmann ]
* Update watch file.
The sourceforge page seem to be no longer kept up-to-date.
Use the official site instead, but mangle the page a bit,
to point to the correct tarball location.
.
[ Markus Koschany ]
* New upstream version 3.6.6.
- Fixes CVE-2020-5254, CVE-2020-5214, CVE-2020-5213, CVE-2020-5212,
CVE-2020-5211, CVE-2020-5210, CVE-2020-5209 and CVE-2019-19905.
(Closes: #947005, #953978)
* Fixes FTBFS with GCC 10. (Closes: #957598)
* Switch to debhelper-compat = 13
* Declare compliance with Debian Policy 4.5.0.
* Drop u1-fix-H7138-sys-unix-setup.sh-fails-with-no-arguments.patch.
Fixed upstream.
* Rebase all patches for new version 3.6.6.
* Remove all lisp patches. Broken and unmaintained with 3.6.6.
Maintainers are welcome. nethack-lisp can be salvaged by fixing the errors
on the lisp branch in Git. If they are not fixed before the bullseye
release nethack-lisp will be removed.
Checksums-Sha1:
d5659ae7da59e1a9947f0b5fe0c4415f5a9deb6e 2433 nethack_3.6.6-1.dsc
d425d447892157c2efa612e31d02a062e72040e2 5577633 nethack_3.6.6.orig.tar.gz
9752bd9177e6cb0cc0c216ccebc4ae81ee97a767 49608 nethack_3.6.6-1.debian.tar.xz
2d07c0841e16da9490db4a4e778fba460819f01d 8572 nethack_3.6.6-1_amd64.buildinfo
Checksums-Sha256:
0fe55067dbd878615c1f4b04a3d1898a452fb306b205baac8e7d0f1c1bee0367 2433 nethack_3.6.6-1.dsc
cfde0c3ab6dd7c22ae82e1e5a59ab80152304eb23fb06e3129439271e5643ed2 5577633 nethack_3.6.6.orig.tar.gz
92404b459d929698ab36729d15473b2f46e26a93f91ca7496a5c8bef7a885168 49608 nethack_3.6.6-1.debian.tar.xz
897ff26e28299e9ea3ae183f45e32f32833dfc8ea8b8137cf09ba7881719654b 8572 nethack_3.6.6-1_amd64.buildinfo
Files:
841c989a12e22b427e480a0a2bea2d58 2433 games optional nethack_3.6.6-1.dsc
6c9a75f556d24c66801d74d8727a602e 5577633 games optional nethack_3.6.6.orig.tar.gz
9df770eba517625b38eac596bee1fcb5 49608 games optional nethack_3.6.6-1.debian.tar.xz
606470a4fa6b304b8151655572dde74b 8572 games optional nethack_3.6.6-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAl7T58pfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkbAQP/3G4YIhonS0Brk3xJxVZn6V53z7GVVleWInq
ijn0+8IsGzEoUoBDTJJ101tAZOcQ2JOY8ZmNWOE163mPq0uiKyxv+kbD54SpGlBX
hsjX5GhA5U7Rl3Oi+84Oe1TF3js3bjKAGLH2XyO7W7m7uHktFj6J6okNs6uqElDa
HWo7g0wEDfZn9yFvE7VwN9i3O/Jm7m/3lWa1RrEXTalCZfLhQjvHC8ehb+pqep3/
E90hCofATv6SvuHfvBr84KxcmbruAtn3UDtrwkRcrJNeghdIgbv9cLqov6+AY/NO
JOwzvkxKFOUxkScG6wy0IV08gCNXnKabRJxLFnr1SRM6OSZA+w0Ghx7F8bLavZqR
5/sRTPQq0toS/AuU3KNx7DzN1SfO6Bma5hXkHEOdWeqFAx3oJDZP8OtIHqSuyl5m
4U8Cbrb8PaK4xCuiEZEiXHKO+qYaq5yPuAdRztirL7k7l/fNyz7YeLqA8uq/8tMb
QK6aJwmHozV+aWjfT3ROHBwLfl/bZgazUOGYRsTN9EIwY5ub1axKaAhI7OcXHMid
cgg2Zvhy2rkHovjnucc9eP1D7KG52sGfzawm6wAxjIb6OMz1kzUyeKwgy9ePb/yJ
zh+5kJbPwP6NXYr6PlyfEuRG3WtKJT5gumqRGaF0NUcf3Qw/DruPuFkg2NPUMmOv
GaufLwso
=ArIg
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 12 Sep 2021 07:26:19 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.