NetHack 3.6.5

From NetHackWiki
Jump to navigation Jump to search

NetHack 3.6.5 is the 35th public release of NetHack. It was released on 27th January 2020. This release fixes several security exploits that existed in versions 3.6.0, 3.6.1, 3.6.2, 3.6.3 and 3.6.4, as well as some more minor bugs. There were no new gameplay features.[1]


NetHack 3.6.5 is available from the official NetHack website.

Significant changes


These security vulnerabilities were fixed:

  • CVE-2020-5209: command line parsing of options starting with -de and -i is subject to a buffer overflow[2]
  • CVE-2020-5210: command line -w option parsing is subject to a buffer overflow[3]
  • CVE-2020-5211: AUTOCOMPLETE configuration file option is subject to a buffer overflow[4]
  • CVE-2020-5212: MENUCOLOR configuration file option is subject to a buffer overflow[5]
  • CVE-2020-5213: SYMBOL configuration file option is subject to a buffer overflow[6]
  • CVE-2020-5214: error recovery after syntax error in configuration file is subject to a buffer overflow[7]

These were all reported to the DevTeam by security researcher David Mendenhall.

Bug fixes

Other bug fixes include:[8]

  • fix accessing mons[-1] when trying to gate in a non-valid demon
  • fix accessing mons[-1] when monster figures out if a tin cures stoning
  • have string_for_opt() return empty_optstr on failure
  • ensure existing callers of string_for_opt() check return value before using it
  • use vsnprintf instead of vsprintf in pline.c where possible
  • Windows: includes a fix from a 3.6.4 post-release update where OPTIONS=map_mode:fit_to_screen could cause a game start failure
  • Windows: users with C-locale unmappable names could get game start failure