Debian Bug report logs - #947005
nethack: CVE-2019-19905: buffer overflow when parsing config files

version graph

Package: src:nethack; Maintainer for src:nethack is Debian Games Team <pkg-games-devel@lists.alioth.debian.org>;

Reported by: Reiner Herrmann <reiner@reiner-h.de>

Date: Thu, 19 Dec 2019 11:00:02 UTC

Severity: grave

Tags: fixed-upstream, security

Found in version nethack/3.6.0-1

Fixed in version nethack/3.6.6-1

Done: Markus Koschany <apo@debian.org>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Games Team <pkg-games-devel@lists.alioth.debian.org>:
Bug#947005; Package src:nethack. (Thu, 19 Dec 2019 11:00:04 GMT) (full text, mbox, link).


Acknowledgement sent to Reiner Herrmann <reiner@reiner-h.de>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Games Team <pkg-games-devel@lists.alioth.debian.org>. (Thu, 19 Dec 2019 11:00:05 GMT) (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Reiner Herrmann <reiner@reiner-h.de>
To: submit@bugs.debian.org
Subject: nethack: buffer overflow when parsing config files
Date: Thu, 19 Dec 2019 11:57:42 +0100
[Message part 1 (text/plain, inline)]
Source: nethack
Version: 3.6.0-1
Severity: grave
Tags: security
X-Debbugs-Cc: team@security.debian.org

Hi,

a new version of NetHack has been released that fixes a privilege
escalation issue introduced in 3.6.0 [0] [1]:

> A buffer overflow issue exists when reading very long lines from a
> NetHack configuration file (usually named .nethackrc).
> 
> This vulnerability affects systems that have NetHack installed suid/sgid
> and shared systems that allow users to upload their own configuration
> files.
> 
> All users are urged to upgrade to NetHack 3.6.4 as soon as possible. 

As the Debian packages ship setgid binaries, I think they are affected by it.

At least these two commits look related:
 https://github.com/NetHack/NetHack/commit/f4a840a
 https://github.com/NetHack/NetHack/commit/f001de7

Regards,
  Reiner

[0] https://nethack.org/security/index.html
[1] https://nethack.org/v364/release.html
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Games Team <pkg-games-devel@lists.alioth.debian.org>:
Bug#947005; Package src:nethack. (Thu, 19 Dec 2019 19:39:11 GMT) (full text, mbox, link).


Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Games Team <pkg-games-devel@lists.alioth.debian.org>. (Thu, 19 Dec 2019 19:39:11 GMT) (full text, mbox, link).


Message #10 received at 947005@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Reiner Herrmann <reiner@reiner-h.de>, 947005@bugs.debian.org
Cc: nethack-bugs@nethack.org
Subject: Re: Bug#947005: nethack: buffer overflow when parsing config files
Date: Thu, 19 Dec 2019 20:38:45 +0100
Control: retitle -1 nethack: CVE-2019-19905: buffer overflow when parsing config files

On Thu, Dec 19, 2019 at 11:57:42AM +0100, Reiner Herrmann wrote:
> Source: nethack
> Version: 3.6.0-1
> Severity: grave
> Tags: security
> X-Debbugs-Cc: team@security.debian.org
> 
> Hi,
> 
> a new version of NetHack has been released that fixes a privilege
> escalation issue introduced in 3.6.0 [0] [1]:
> 
> > A buffer overflow issue exists when reading very long lines from a
> > NetHack configuration file (usually named .nethackrc).
> > 
> > This vulnerability affects systems that have NetHack installed suid/sgid
> > and shared systems that allow users to upload their own configuration
> > files.
> > 
> > All users are urged to upgrade to NetHack 3.6.4 as soon as possible. 
> 
> As the Debian packages ship setgid binaries, I think they are affected by it.
> 
> At least these two commits look related:
>  https://github.com/NetHack/NetHack/commit/f4a840a
>  https://github.com/NetHack/NetHack/commit/f001de7

This issue has been assigned CVE-2019-19905 by MITRE.

Regards,
Salvatore



Changed Bug title to 'nethack: CVE-2019-19905: buffer overflow when parsing config files' from 'nethack: buffer overflow when parsing config files'. Request was from Salvatore Bonaccorso <carnil@debian.org> to 947005-submit@bugs.debian.org. (Thu, 19 Dec 2019 19:39:11 GMT) (full text, mbox, link).


Added tag(s) fixed-upstream. Request was from Adrian Bunk <bunk@debian.org> to control@bugs.debian.org. (Fri, 31 Jan 2020 20:27:03 GMT) (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Debian Games Team <pkg-games-devel@lists.alioth.debian.org>:
Bug#947005; Package src:nethack. (Sun, 02 Feb 2020 13:18:02 GMT) (full text, mbox, link).


Acknowledgement sent to Reiner Herrmann <reiner@reiner-h.de>:
Extra info received and forwarded to list. Copy sent to Debian Games Team <pkg-games-devel@lists.alioth.debian.org>. (Sun, 02 Feb 2020 13:18:02 GMT) (full text, mbox, link).


Message #19 received at 947005@bugs.debian.org (full text, mbox, reply):

From: Reiner Herrmann <reiner@reiner-h.de>
To: 947005@bugs.debian.org
Subject: Re: Bug#947005: nethack: buffer overflow when parsing config files
Date: Sun, 2 Feb 2020 14:14:54 +0100
[Message part 1 (text/plain, inline)]
Version 3.6.5 has been released, which fixes additional security issues:
 CVE-2020-5209, CVE-2020-5210, CVE-2020-5211, CVE-2020-5212,
 CVE-2020-5213, CVE-2020-5214.

See also:
 https://nethack.org/v365/release.html
 https://www.nethack.org/security/
[signature.asc (application/pgp-signature, inline)]

Added tag(s) pending. Request was from Markus Koschany <apo@debian.org> to control@bugs.debian.org. (Sun, 31 May 2020 14:36:07 GMT) (full text, mbox, link).


Reply sent to Markus Koschany <apo@debian.org>:
You have taken responsibility. (Sun, 31 May 2020 17:51:03 GMT) (full text, mbox, link).


Notification sent to Reiner Herrmann <reiner@reiner-h.de>:
Bug acknowledged by developer. (Sun, 31 May 2020 17:51:03 GMT) (full text, mbox, link).


Message #26 received at 947005-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 947005-close@bugs.debian.org
Subject: Bug#947005: fixed in nethack 3.6.6-1
Date: Sun, 31 May 2020 17:49:17 +0000
Source: nethack
Source-Version: 3.6.6-1
Done: Markus Koschany <apo@debian.org>

We believe that the bug you reported is fixed in the latest version of
nethack, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 947005@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Markus Koschany <apo@debian.org> (supplier of updated nethack package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 31 May 2020 18:57:45 +0200
Source: nethack
Architecture: source
Version: 3.6.6-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Games Team <pkg-games-devel@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Closes: 947005 953978 957598
Changes:
 nethack (3.6.6-1) unstable; urgency=medium
 .
   * Team upload.
 .
   [ Reiner Herrmann ]
   * Update watch file.
     The sourceforge page seem to be no longer kept up-to-date.
     Use the official site instead, but mangle the page a bit,
     to point to the correct tarball location.
 .
   [ Markus Koschany ]
   * New upstream version 3.6.6.
     - Fixes CVE-2020-5254, CVE-2020-5214, CVE-2020-5213, CVE-2020-5212,
       CVE-2020-5211, CVE-2020-5210, CVE-2020-5209 and CVE-2019-19905.
       (Closes: #947005, #953978)
   * Fixes FTBFS with GCC 10. (Closes: #957598)
   * Switch to debhelper-compat = 13
   * Declare compliance with Debian Policy 4.5.0.
   * Drop u1-fix-H7138-sys-unix-setup.sh-fails-with-no-arguments.patch.
     Fixed upstream.
   * Rebase all patches for new version 3.6.6.
   * Remove all lisp patches. Broken and unmaintained with 3.6.6.
     Maintainers are welcome. nethack-lisp can be salvaged by fixing the errors
     on the lisp branch in Git. If they are not fixed before the bullseye
     release nethack-lisp will be removed.
Checksums-Sha1:
 d5659ae7da59e1a9947f0b5fe0c4415f5a9deb6e 2433 nethack_3.6.6-1.dsc
 d425d447892157c2efa612e31d02a062e72040e2 5577633 nethack_3.6.6.orig.tar.gz
 9752bd9177e6cb0cc0c216ccebc4ae81ee97a767 49608 nethack_3.6.6-1.debian.tar.xz
 2d07c0841e16da9490db4a4e778fba460819f01d 8572 nethack_3.6.6-1_amd64.buildinfo
Checksums-Sha256:
 0fe55067dbd878615c1f4b04a3d1898a452fb306b205baac8e7d0f1c1bee0367 2433 nethack_3.6.6-1.dsc
 cfde0c3ab6dd7c22ae82e1e5a59ab80152304eb23fb06e3129439271e5643ed2 5577633 nethack_3.6.6.orig.tar.gz
 92404b459d929698ab36729d15473b2f46e26a93f91ca7496a5c8bef7a885168 49608 nethack_3.6.6-1.debian.tar.xz
 897ff26e28299e9ea3ae183f45e32f32833dfc8ea8b8137cf09ba7881719654b 8572 nethack_3.6.6-1_amd64.buildinfo
Files:
 841c989a12e22b427e480a0a2bea2d58 2433 games optional nethack_3.6.6-1.dsc
 6c9a75f556d24c66801d74d8727a602e 5577633 games optional nethack_3.6.6.orig.tar.gz
 9df770eba517625b38eac596bee1fcb5 49608 games optional nethack_3.6.6-1.debian.tar.xz
 606470a4fa6b304b8151655572dde74b 8572 games optional nethack_3.6.6-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAl7T58pfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkbAQP/3G4YIhonS0Brk3xJxVZn6V53z7GVVleWInq
ijn0+8IsGzEoUoBDTJJ101tAZOcQ2JOY8ZmNWOE163mPq0uiKyxv+kbD54SpGlBX
hsjX5GhA5U7Rl3Oi+84Oe1TF3js3bjKAGLH2XyO7W7m7uHktFj6J6okNs6uqElDa
HWo7g0wEDfZn9yFvE7VwN9i3O/Jm7m/3lWa1RrEXTalCZfLhQjvHC8ehb+pqep3/
E90hCofATv6SvuHfvBr84KxcmbruAtn3UDtrwkRcrJNeghdIgbv9cLqov6+AY/NO
JOwzvkxKFOUxkScG6wy0IV08gCNXnKabRJxLFnr1SRM6OSZA+w0Ghx7F8bLavZqR
5/sRTPQq0toS/AuU3KNx7DzN1SfO6Bma5hXkHEOdWeqFAx3oJDZP8OtIHqSuyl5m
4U8Cbrb8PaK4xCuiEZEiXHKO+qYaq5yPuAdRztirL7k7l/fNyz7YeLqA8uq/8tMb
QK6aJwmHozV+aWjfT3ROHBwLfl/bZgazUOGYRsTN9EIwY5ub1axKaAhI7OcXHMid
cgg2Zvhy2rkHovjnucc9eP1D7KG52sGfzawm6wAxjIb6OMz1kzUyeKwgy9ePb/yJ
zh+5kJbPwP6NXYr6PlyfEuRG3WtKJT5gumqRGaF0NUcf3Qw/DruPuFkg2NPUMmOv
GaufLwso
=ArIg
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 12 Sep 2021 07:26:19 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 10:07:01 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.