Security

From NetHackWiki
Jump to navigation Jump to search

Sometimes security issues are found in NetHack. These are more serious than usual bugs because they can assist a malicious user in gaining too much access to your computer, or even taking control. This is especially relevant for public servers, which allow large numbers of strangers to play NetHack on a sysadmin's machine.

Usually, if the DevTeam knows about a security issue in NetHack, they will disclose it to the public after a fix is available.

To remain safe from security issues in NetHack, update to the latest version as soon as possible.

Security vulnerabilities in NetHack

CVE Description Affected versions Fixed in External links
CVE-2020-5254 NetHack hilite_status parsing privilege escalation 3.6.1 to 3.6.5 3.6.6 nethack.org cve.mitre.org
CVE-2020-5253 NetHack 3.4.3 privilege escalation 3.4.3 and earlier 3.6.0 nethack.org cve.mitre.org
CVE-2020-5214 Error recovery after syntax error in configuration file is subject to a buffer overflow 3.6.0 to 3.6.4 3.6.5 nethack.org cve.mitre.org
CVE-2020-5213 SYMBOL configuration file option is subject to a buffer overflow 3.6.0 to 3.6.4 3.6.5 nethack.org cve.mitre.org
CVE-2020-5212 MENUCOLOR configuration file option is subject to a buffer overflow 3.6.0 to 3.6.4 3.6.5 nethack.org cve.mitre.org
CVE-2020-5211 AUTOCOMPLETE configuration file option is subject to a buffer overflow 3.6.0 to 3.6.4 3.6.5 nethack.org cve.mitre.org
CVE-2020-5210 NetHack command line -w option parsing is subject to a buffer overflow 3.6.0 to 3.6.4 3.6.5 nethack.org cve.mitre.org
CVE-2020-5209 NetHack command line parsing of options starting with -de and -i is subject to a buffer overflow 3.6.0 to 3.6.4 3.6.5 nethack.org cve.mitre.org
CVE-2019-19905 NetHack: Privilege escalation/remote code execution/crash in configuration parsing 3.6.0 to 3.6.3 3.6.4 nethack.org cve.mitre.org
CVE-2003-0359 Installing NetHack allows local users to gain privileges by replacing the original binaries with malicious code 3.4.0 and earlier 3.4.1 cve.mitre.org debian.org
CVE-2003-0358 Buffer overflow allows local users to gain privileges via a long -s command line option 3.4.0 and earlier 3.4.1, or patched 3.4.0 cve.mitre.org debian.org

Security vulnerabilities related to NetHack

Sometimes, security issues arise from interactions between NetHack and other programs. These are not bugs in NetHack proper.

CVE Description Affected versions External links
CVE-2006-1390 Configuration on Gentoo allows local users to execute arbitrary code via buffer overflows and overwrite arbitrary files via symlink attacks 3.4.3-r1 and earlier cve.mitre.org securityfocus.com
CVE-1999-1477 Buffer overflow in GNOME libraries 1.0.8 allows local user to gain root access via a long --espeaker argument in programs such as NetHack cve.mitre.org

See also