NetHack 3.6.6 is the 36th public release of NetHack. It was released on March 8th, 2020. This release fixes a security vulnerability that existed in versions 3.6.1, 3.6.2, 3.6.3, 3.6.4 and 3.6.5, as well as some more minor bugs. There were no new gameplay features.
Nethack 3.6.6 is available from the official NetHack website.
This release fixes CVE-2020-5254. As with the security bugs fixed in 3.6.4 and 3.6.5, this bug was reported to the DevTeam by security researcher David Mendenhall, who also explained that the bug can be used to glitch the game.
There were some other changes:
- Formatting corpse names used internal buffers differently from formatting other objects and could potentially clobber memory
- Avoid divide by 0 crash if 'bogusmon' (file of bogus monster types) is empty
- Avoid #wizrumorcheck crash if either 'rumors.tru' or 'rumors.fal' or both were empty when makedefs built 'rumors'
- Avoid "'s glorkum pass harmlessly through the shade" for weaponless monsters