{"id":"MGASA-2021-0077","summary":"Updated nethack packages fix security vulnerabilities","details":"Updated nethack packages fix security vulnerabilities:\n\nNetHack 3.6.x before 3.6.4 is prone to a buffer overflow vulnerability when\nreading very long lines from configuration files. This affects systems that\nhave NetHack installed suid/sgid, and shared systems that allow users to\nupload their own configuration files (CVE-2019-19905).\n\nIn NetHack before 3.6.5, unknown options starting with -de and -i can cause\na buffer overflow resulting in a crash or remote code execution/privilege\nescalation. This vulnerability affects systems that have NetHack installed\nsuid/sgid and shared systems that allow users to influence command line\noptions (CVE-2020-5209).\n\nIn NetHack before 3.6.5, an invalid argument to the -w command line option\ncan cause a buffer overflow resulting in a crash or remote code\nexecution/privilege escalation. This vulnerability affects systems that have\nNetHack installed suid/sgid and shared systems that allow users to influence\ncommand line options (CVE-2020-5210).\n\nIn NetHack before 3.6.5, an invalid extended command in value for the\nAUTOCOMPLETE configuration file option can cause a buffer overflow resulting\nin a crash or remote code execution/privilege escalation. This vulnerability\naffects systems that have NetHack installed suid/sgid and shared systems\nthat allow users to upload their own configuration files (CVE-2020-5211).\n\nIn NetHack before 3.6.5, an extremely long value for the MENUCOLOR\nconfiguration file option can cause a buffer overflow resulting in a crash\nor remote code execution/privilege escalation. This vulnerability affects\nsystems that have NetHack installed suid/sgid and shared systems that allow\nusers to upload their own configuration files (CVE-2020-5212).\n\nIn NetHack before 3.6.5, too long of a value for the SYMBOL configuration\nfile option can cause a buffer overflow resulting in a crash or remote code\nexecution/privilege escalation. This vulnerability affects systems that have\nNetHack installed suid/sgid and shared systems that allow users to upload\ntheir own configuration files (CVE-2020-5213).\n\nIn NetHack before 3.6.5, detecting an unknown configuration file option can\ncause a buffer overflow resulting in a crash or remote code\nexecution/privilege escalation. This vulnerability affects systems that have\nNetHack installed suid/sgid and shared systems that allow users to upload\ntheir own configuration files (CVE-2020-5214).\n\nIn NetHack before 3.6.6, some out-of-bound values for the hilite_status\noption can be exploited (CVE-2020-5254).\n\nThe nethack package has been updated to version 3.6.6, fixing these issues\nand other bugs. See the upstream release notes for details.\n","modified":"2026-04-16T00:09:17.069982157Z","published":"2021-02-10T18:41:52Z","upstream":["CVE-2019-19905","CVE-2020-5209","CVE-2020-5210","CVE-2020-5211","CVE-2020-5212","CVE-2020-5213","CVE-2020-5214","CVE-2020-5254"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2021-0077.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=26228"},{"type":"WEB","url":"https://nethack.org/v362/release.html"},{"type":"WEB","url":"https://nethack.org/v363/release.html"},{"type":"WEB","url":"https://nethack.org/v364/release.html"},{"type":"WEB","url":"https://nethack.org/v365/release.html"},{"type":"WEB","url":"https://nethack.org/v366/release.html"},{"type":"ADVISORY","url":"https://www.nethack.org/security/CVE-2019-19905.html"},{"type":"ADVISORY","url":"https://www.nethack.org/security/CVE-2020-5209.html"},{"type":"ADVISORY","url":"https://www.nethack.org/security/CVE-2020-5210.html"},{"type":"ADVISORY","url":"https://www.nethack.org/security/CVE-2020-5211.html"},{"type":"ADVISORY","url":"https://www.nethack.org/security/CVE-2020-5212.html"},{"type":"ADVISORY","url":"https://www.nethack.org/security/CVE-2020-5213.html"},{"type":"ADVISORY","url":"https://www.nethack.org/security/CVE-2020-5214.html"},{"type":"ADVISORY","url":"https://www.nethack.org/security/CVE-2020-5254.html"}],"affected":[{"package":{"name":"nethack","ecosystem":"Mageia:7","purl":"pkg:rpm/mageia/nethack?arch=source&distro=mageia-7"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.6.6-1.mga7"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2021-0077.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}