Difference between revisions of "Security"

Revision as of 03:58, 1 April 2020

Sometimes security issues are found in NetHack. These are more serious than usual bugs because they can assist a malicious user in gaining too much access to your computer, or even taking control. This is especially relevant for public servers, which allow large numbers of strangers to play NetHack on a sysadmin's machine.

Usually, if the DevTeam knows about a security issue in NetHack, they will disclose it to the public after a fix is available.

To remain safe from security issues in NetHack, update to the latest version as soon as possible.

Security vulnerabilities in NetHack

CVE	Description	Affected versions	Fixed in	External links
CVE-2020-5254	NetHack hilite_status parsing privilege escalation	3.6.1 to 3.6.5	3.6.6	nethack.org cve.mitre.org
CVE-2020-5253	NetHack 3.4.3 privilege escalation	3.4.3 and earlier	3.6.0	nethack.org cve.mitre.org
CVE-2020-5214	Error recovery after syntax error in configuration file is subject to a buffer overflow	3.6.0 to 3.6.4	3.6.5	nethack.org cve.mitre.org
CVE-2020-5213	SYMBOL configuration file option is subject to a buffer overflow	3.6.0 to 3.6.4	3.6.5	nethack.org cve.mitre.org
CVE-2020-5212	MENUCOLOR configuration file option is subject to a buffer overflow	3.6.0 to 3.6.4	3.6.5	nethack.org cve.mitre.org
CVE-2020-5211	AUTOCOMPLETE configuration file option is subject to a buffer overflow	3.6.0 to 3.6.4	3.6.5	nethack.org cve.mitre.org
CVE-2020-5210	NetHack command line -w option parsing is subject to a buffer overflow	3.6.0 to 3.6.4	3.6.5	nethack.org cve.mitre.org
CVE-2020-5209	NetHack command line parsing of options starting with -de and -i is subject to a buffer overflow	3.6.0 to 3.6.4	3.6.5	nethack.org cve.mitre.org
CVE-2019-19905	NetHack: Privilege escalation/remote code execution/crash in configuration parsing	3.6.0 to 3.6.3	3.6.4	nethack.org cve.mitre.org
CVE-2003-0359	Installing NetHack allows local users to gain privileges by replacing the original binaries with malicious code	3.4.0 and earlier	3.4.1	cve.mitre.org debian.org
CVE-2003-0358	Buffer overflow allows local users to gain privileges via a long -s command line option	3.4.0 and earlier	3.4.1, or patched 3.4.0	cve.mitre.org debian.org

Security vulnerabilities related to NetHack

Sometimes, security issues arise from interactions between NetHack and other programs. These are not bugs in NetHack proper.

CVE	Description	Affected versions	External links
CVE-2006-1390	Configuration on Gentoo allows local users to execute arbitrary code via buffer overflows and overwrite arbitrary files via symlink attacks	3.4.3-r1 and earlier	cve.mitre.org securityfocus.com
CVE-1999-1477	Buffer overflow in GNOME libraries 1.0.8 allows local user to gain root access via a long --espeaker argument in programs such as NetHack		cve.mitre.org

@@ Line 14: / Line 14: @@
 !External links
 |-
-|CVE-2020-5254
+|{{va|CVE-2020-5254}}
 |NetHack [[hilite_status]] parsing privilege escalation
 |[[3.6.1]] to [[3.6.5]]
@@ Line 20: / Line 20: @@
 |[https://www.nethack.org/security/CVE-2020-5254.html nethack.org] [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5254 cve.mitre.org]
 |-
-|CVE-2020-5253
+|{{va|CVE-2020-5253}}
 |NetHack 3.4.3 privilege escalation
 |[[3.4.3]] and earlier
@@ Line 26: / Line 26: @@
 |[https://www.nethack.org/security/CVE-2020-5253.html nethack.org] [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5253 cve.mitre.org]
 |-
-|CVE-2020-5214
+|{{va|CVE-2020-5214}}
 |Error recovery after syntax error in [[configuration file]] is subject to a buffer overflow
 |[[3.6.0]] to [[3.6.4]]
@@ Line 32: / Line 32: @@
 |[https://www.nethack.org/security/CVE-2020-5214.html nethack.org] [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5214 cve.mitre.org]
 |-
-|CVE-2020-5213
+|{{va|CVE-2020-5213}}
 |[[Options#SYMBOL|SYMBOL]] configuration file option is subject to a buffer overflow
 |[[3.6.0]] to [[3.6.4]]
@@ Line 38: / Line 38: @@
 |[https://www.nethack.org/security/CVE-2020-5213.html nethack.org] [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5213 cve.mitre.org]
 |-
-|CVE-2020-5212
+|{{va|CVE-2020-5212}}
 |[[menucolors|MENUCOLOR]] configuration file option is subject to a buffer overflow
 |[[3.6.0]] to [[3.6.4]]
@@ Line 44: / Line 44: @@
 |[https://www.nethack.org/security/CVE-2020-5212.html nethack.org] [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5212 cve.mitre.org]
 |-
-|CVE-2020-5211
+|{{va|CVE-2020-5211}}
 |[[Options#AUTOCOMPLETE|AUTOCOMPLETE]] configuration file option is subject to a buffer overflow
 |[[3.6.0]] to [[3.6.4]]
@@ Line 50: / Line 50: @@
 |[https://www.nethack.org/security/CVE-2020-5211.html nethack.org] [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5211 cve.mitre.org]
 |-
-|CVE-2020-5210
+|{{va|CVE-2020-5210}}
 |NetHack command line -w option parsing is subject to a buffer overflow
 |[[3.6.0]] to [[3.6.4]]
@@ Line 56: / Line 56: @@
 |[https://www.nethack.org/security/CVE-2020-5210.html nethack.org] [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5210 cve.mitre.org]
 |-
-|CVE-2020-5209
+|{{va|CVE-2020-5209}}
 |NetHack command line parsing of options starting with -de and -i is subject to a buffer overflow
 |[[3.6.0]] to [[3.6.4]]
@@ Line 62: / Line 62: @@
 |[https://www.nethack.org/security/CVE-2020-5209.html nethack.org] [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5209 cve.mitre.org]
 |-
-|CVE-2019-19905
+|{{va|CVE-2019-19905}}
 |NetHack: Privilege escalation/remote code execution/crash in configuration parsing
 |[[3.6.0]] to [[3.6.3]]
@@ Line 68: / Line 68: @@
 |[https://www.nethack.org/security/CVE-2019-19905.html nethack.org] [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19905 cve.mitre.org]
 |-
-|CVE-2003-0359
+|{{va|CVE-2003-0359}}
 |Installing NetHack allows local users to gain privileges by replacing the original binaries with malicious code
 |[[3.4.0]] and earlier
@@ Line 74: / Line 74: @@
 |[https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0359 cve.mitre.org] [https://www.debian.org/security/2003/dsa-316 debian.org]
 |-
-|CVE-2003-0358
+|{{va|CVE-2003-0358}}
 |Buffer overflow allows local users to gain privileges via a long -s command line option
 |[[3.4.0]] and earlier
@@ Line 91: / Line 91: @@
 !External links
 |-
-|CVE-2006-1390
+|{{va|CVE-2006-1390}}
 |Configuration on [[Gentoo]] allows local users to execute arbitrary code via buffer overflows and overwrite arbitrary files via symlink attacks
 |[[3.4.3]]-r1 and earlier
 |[https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1390 cve.mitre.org] [https://www.securityfocus.com/archive/1/428743/100/0/threaded securityfocus.com]
 |-
-|CVE-1999-1477
+|{{va|CVE-1999-1477}}
 |Buffer overflow in GNOME libraries 1.0.8 allows local user to gain root access via a long --espeaker argument in programs such as NetHack
 |

Difference between revisions of "Security"

Revision as of 03:58, 1 April 2020

Security vulnerabilities in NetHack

Security vulnerabilities related to NetHack

See also

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Popular pages

Contributing

Tools