Security
Jump to navigation
Jump to search
Sometimes security issues are found in NetHack. These are more serious than usual bugs because they can assist a malicious user in gaining too much access to your computer, or even taking control. This is especially relevant for public servers, which allow large numbers of strangers to play NetHack on a sysadmin's machine.
Usually, if the DevTeam knows about a security issue in NetHack, they will disclose it to the public after a fix is available.
To remain safe from security issues in NetHack, update to the latest version as soon as possible.
Security vulnerabilities in NetHack
| CVE | Description | Affected versions | Fixed in | External links |
|---|---|---|---|---|
| CVE-2023-24809 | NetHack Call command buffer overflow | 3.6.2 to 3.6.6 | 3.6.7 | nethack.org cve.mitre.org |
| CVE-2020-5254 | NetHack hilite_status parsing privilege escalation | 3.6.1 to 3.6.5 | 3.6.6 | nethack.org cve.mitre.org |
| CVE-2020-5253 | NetHack 3.4.3 privilege escalation | 3.4.3 and earlier | 3.6.0 | nethack.org cve.mitre.org |
| CVE-2020-5214 | Error recovery after syntax error in configuration file is subject to a buffer overflow | 3.6.0 to 3.6.4 | 3.6.5 | nethack.org cve.mitre.org |
| CVE-2020-5213 | SYMBOL configuration file option is subject to a buffer overflow | 3.6.0 to 3.6.4 | 3.6.5 | nethack.org cve.mitre.org |
| CVE-2020-5212 | MENUCOLOR configuration file option is subject to a buffer overflow | 3.6.0 to 3.6.4 | 3.6.5 | nethack.org cve.mitre.org |
| CVE-2020-5211 | AUTOCOMPLETE configuration file option is subject to a buffer overflow | 3.6.0 to 3.6.4 | 3.6.5 | nethack.org cve.mitre.org |
| CVE-2020-5210 | NetHack command line -w option parsing is subject to a buffer overflow | 3.6.0 to 3.6.4 | 3.6.5 | nethack.org cve.mitre.org |
| CVE-2020-5209 | NetHack command line parsing of options starting with -de and -i is subject to a buffer overflow | 3.6.0 to 3.6.4 | 3.6.5 | nethack.org cve.mitre.org |
| CVE-2019-19905 | NetHack: Privilege escalation/remote code execution/crash in configuration parsing | 3.6.0 to 3.6.3 | 3.6.4 | nethack.org cve.mitre.org |
| CVE-2003-0359 | Installing NetHack allows local users to gain privileges by replacing the original binaries with malicious code | 3.4.0 and earlier | 3.4.1 | cve.mitre.org debian.org |
| CVE-2003-0358 | Buffer overflow allows local users to gain privileges via a long -s command line option | 3.4.0 and earlier | 3.4.1, or patched 3.4.0 | cve.mitre.org debian.org |
Sometimes, security issues arise from interactions between NetHack and other programs. These are not bugs in NetHack proper.
| CVE | Description | Affected versions | External links |
|---|---|---|---|
| CVE-2006-1390 | Configuration on Gentoo allows local users to execute arbitrary code via buffer overflows and overwrite arbitrary files via symlink attacks | 3.4.3-r1 and earlier | cve.mitre.org securityfocus.com |
| CVE-1999-1477 | Buffer overflow in GNOME libraries 1.0.8 allows local user to gain root access via a long --espeaker argument in programs such as NetHack | cve.mitre.org |
See also
- David Mendenhall, the security researcher who found most of the security issues from 3.6.0 to 3.6.5
