Difference between revisions of "NetHack 3.6.5"
Jump to navigation
Jump to search
(Created page with "{{NetHack Versions}} '''NetHack 3.6.5''' is the 35th public release of NetHack. It was released on 27th January 2020. This release fixes several security exploits that ex...") |
m |
||
| Line 1: | Line 1: | ||
{{NetHack Versions}} | {{NetHack Versions}} | ||
| − | '''NetHack 3.6.5''' is the 35th public release of [[NetHack]]. It was released on 27th January 2020. This release fixes several security exploits that existed in versions [[3.6.0]], [[3.6.1]], [[3.6.2]], [[3.6.3]] and [[3.6.4]], as well as some more minor bugs. There were no new gameplay features<ref>https://github.com/NetHack/NetHack/blob/NetHack-3.6/doc/fixes36.5</ref> | + | '''NetHack 3.6.5''' is the 35th public release of [[NetHack]]. It was released on 27th January 2020. This release fixes several security exploits that existed in versions [[3.6.0]], [[3.6.1]], [[3.6.2]], [[3.6.3]] and [[3.6.4]], as well as some more minor bugs. There were no new gameplay features.<ref>https://github.com/NetHack/NetHack/blob/NetHack-3.6/doc/fixes36.5</ref> |
== Availability == | == Availability == | ||
| Line 7: | Line 7: | ||
NetHack 3.6.5 is [https://nethack.org/v365/downloads.html available] from the official NetHack website. | NetHack 3.6.5 is [https://nethack.org/v365/downloads.html available] from the official NetHack website. | ||
| − | == Significant | + | == Significant changes == |
=== Security === | === Security === | ||
| Line 13: | Line 13: | ||
These security vulnerabilities were fixed: | These security vulnerabilities were fixed: | ||
| − | * CVE-2020-5209 | + | * CVE-2020-5209: command line parsing of options starting with -de and -i is subject to a [[wikipedia:buffer overflow|buffer overflow]]<ref>https://nethack.org/security/CVE-2020-5209.html</ref> |
| − | + | * CVE-2020-5210: command line -w option parsing is subject to a buffer overflow<ref>https://nethack.org/security/CVE-2020-5210.html</ref> | |
| − | + | * CVE-2020-5211: [[Options#AUTOCOMPLETE|AUTOCOMPLETE]] configuration file option is subject to a buffer overflow<ref>https://nethack.org/security/CVE-2020-5211.html</ref> | |
| − | + | * CVE-2020-5212: [[Menucolors|MENUCOLOR]] configuration file option is subject to a buffer overflow<ref>https://nethack.org/security/CVE-2020-5212.html</ref> | |
| − | + | * CVE-2020-5213: [[Options#SYMBOL|SYMBOL]] configuration file option is subject to a buffer overflow<ref>https://nethack.org/security/CVE-2020-5213.html</ref> | |
| − | + | * CVE-2020-5214: error recovery after syntax error in configuration file is subject to a buffer overflow<ref>https://nethack.org/security/CVE-2020-5214.html</ref> | |
These were all reported to the DevTeam by security researcher David Mendenhall. | These were all reported to the DevTeam by security researcher David Mendenhall. | ||
| Line 24: | Line 24: | ||
=== Bug fixes === | === Bug fixes === | ||
| − | Other bug fixes include<ref>https://github.com/NetHack/NetHack/blob/NetHack-3.6/doc/fixes36.5</ref> | + | Other bug fixes include:<ref>https://github.com/NetHack/NetHack/blob/NetHack-3.6/doc/fixes36.5</ref> |
* fix accessing mons[-1] when trying to [[demon gating|gate]] in a non-valid demon | * fix accessing mons[-1] when trying to [[demon gating|gate]] in a non-valid demon | ||
Revision as of 01:31, 31 January 2020
|
NetHack Versions |
|
|
|
|
|
|
|
|
NetHack 3.6.5 is the 35th public release of NetHack. It was released on 27th January 2020. This release fixes several security exploits that existed in versions 3.6.0, 3.6.1, 3.6.2, 3.6.3 and 3.6.4, as well as some more minor bugs. There were no new gameplay features.[1]
Availability
NetHack 3.6.5 is available from the official NetHack website.
Significant changes
Security
These security vulnerabilities were fixed:
- CVE-2020-5209: command line parsing of options starting with -de and -i is subject to a buffer overflow[2]
- CVE-2020-5210: command line -w option parsing is subject to a buffer overflow[3]
- CVE-2020-5211: AUTOCOMPLETE configuration file option is subject to a buffer overflow[4]
- CVE-2020-5212: MENUCOLOR configuration file option is subject to a buffer overflow[5]
- CVE-2020-5213: SYMBOL configuration file option is subject to a buffer overflow[6]
- CVE-2020-5214: error recovery after syntax error in configuration file is subject to a buffer overflow[7]
These were all reported to the DevTeam by security researcher David Mendenhall.
Bug fixes
Other bug fixes include:[8]
- fix accessing mons[-1] when trying to gate in a non-valid demon
- fix accessing mons[-1] when monster figures out if a tin cures stoning
- have string_for_opt() return empty_optstr on failure
- ensure existing callers of string_for_opt() check return value before using it
- use vsnprintf instead of vsprintf in pline.c where possible
- Windows: includes a fix from a 3.6.4 post-release update where OPTIONS=map_mode:fit_to_screen could cause a game start failure
- Windows: users with C-locale unmappable names could get game start failure
References
- ↑ https://github.com/NetHack/NetHack/blob/NetHack-3.6/doc/fixes36.5
- ↑ https://nethack.org/security/CVE-2020-5209.html
- ↑ https://nethack.org/security/CVE-2020-5210.html
- ↑ https://nethack.org/security/CVE-2020-5211.html
- ↑ https://nethack.org/security/CVE-2020-5212.html
- ↑ https://nethack.org/security/CVE-2020-5213.html
- ↑ https://nethack.org/security/CVE-2020-5214.html
- ↑ https://github.com/NetHack/NetHack/blob/NetHack-3.6/doc/fixes36.5
