Bug 26228 - nethack new security issue(s) fixed upstream in 3.6.6
Summary: nethack new security issue(s) fixed upstream in 3.6.6
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-02-20 22:07 CET by David Walser
Modified: 2020-03-21 14:14 CET (History)
3 users (show)

See Also:
Source RPM: nethack-3.6.1-1.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2020-02-20 22:07:21 CET
Fedora has issued an advisory on February 8:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/VDMTLPNMUSRGT7QWFBGZW3OWHG3BCBOF/

It doesn't specify the security issue(s) fixed in 3.6.5.
David Walser 2020-02-21 17:53:25 CET

Status comment: (none) => Fixed upstream in 3.6.5

Comment 1 David GEIGER 2020-02-22 05:33:26 CET
Done for mga7!

CC: (none) => geiger.david68210

Comment 2 David Walser 2020-02-22 06:08:36 CET
Advisory:
========================

Updated nethack packages fix security vulnerabilities:

NetHack 3.6.x before 3.6.4 is prone to a buffer overflow vulnerability when
reading very long lines from configuration files. This affects systems that
have NetHack installed suid/sgid, and shared systems that allow users to
upload their own configuration files (CVE-2019-19905).

In NetHack before 3.6.5, unknown options starting with -de and -i can cause a
buffer overflow resulting in a crash or remote code execution/privilege
escalation. This vulnerability affects systems that have NetHack installed
suid/sgid and shared systems that allow users to influence command line
options (CVE-2020-5209).

In NetHack before 3.6.5, an invalid argument to the -w command line option can
cause a buffer overflow resulting in a crash or remote code
execution/privilege escalation. This vulnerability affects systems that have
NetHack installed suid/sgid and shared systems that allow users to influence
command line options (CVE-2020-5210).

In NetHack before 3.6.5, an invalid extended command in value for the
AUTOCOMPLETE configuration file option can cause a buffer overflow resulting
in a crash or remote code execution/privilege escalation. This vulnerability
affects systems that have NetHack installed suid/sgid and shared systems that
allow users to upload their own configuration files (CVE-2020-5211).

In NetHack before 3.6.5, an extremely long value for the MENUCOLOR
configuration file option can cause a buffer overflow resulting in a crash or
remote code execution/privilege escalation. This vulnerability affects
systems that have NetHack installed suid/sgid and shared systems that allow
users to upload their own configuration files (CVE-2020-5212).

In NetHack before 3.6.5, too long of a value for the SYMBOL configuration
file option can cause a buffer overflow resulting in a crash or remote code
execution/privilege escalation. This vulnerability affects systems that have
NetHack installed suid/sgid and shared systems that allow users to upload
their own configuration files (CVE-2020-5213).

In NetHack before 3.6.5, detecting an unknown configuration file option can
cause a buffer overflow resulting in a crash or remote code
execution/privilege escalation. This vulnerability affects systems that have
NetHack installed suid/sgid and shared systems that allow users to upload
their own configuration files (CVE-2020-5214).

The nethack package has been updated to version 3.6.5, fixing these issues and
other bugs.  See the upstream release notes for details.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19905
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5209
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5210
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5211
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5212
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5213
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5214
https://www.nethack.org/security/CVE-2019-19905.html
https://www.nethack.org/security/CVE-2020-5209.html
https://www.nethack.org/security/CVE-2020-5210.html
https://www.nethack.org/security/CVE-2020-5211.html
https://www.nethack.org/security/CVE-2020-5212.html
https://www.nethack.org/security/CVE-2020-5213.html
https://www.nethack.org/security/CVE-2020-5214.html
https://nethack.org/v362/release.html
https://nethack.org/v363/release.html
https://nethack.org/v364/release.html
https://nethack.org/v365/release.html
========================

Updated packages in core/updates_testing:
========================
nethack-3.6.5-1.mga7
nethack-bitmap-fonts-3.6.5-1.mga7
nethack-bitmap-fonts-core-3.6.5-1.mga7


from nethack-3.6.5-1.mga7.src.rpm

Assignee: shlomif => qa-bugs
Status comment: Fixed upstream in 3.6.5 => (none)

Comment 3 Herman Viaene 2020-02-24 14:16:45 CET
MGA7-64 Plasma on Lenovo B50
No apparent installation issues, but
$ nethack
Warning: cannot write scoreboard file '/var/games/nethack/record'
Unable to open SYSCF_FILE.

Checked:the /var/games/ folder is empty. Checked in MCC the contents of the packages :none of them contain anything in /var, and what is more: the flilelist of nethack-bitmap-fonts-core-3.6.5-1.mga7 is empty????

CC: (none) => herman.viaene

Thomas Backlund 2020-03-06 22:52:09 CET

Keywords: (none) => advisory
CC: (none) => tmb

Comment 4 David Walser 2020-03-19 15:01:43 CET
Fedora has issued an advisory on March 19:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/LYC5LEWKB2NA46IOI6GGAUMFK5SR3KQ6/

It fixes CVE-2020-5254, fixed upstream in 3.6.6:
https://www.nethack.org/security/CVE-2020-5254.html
https://nethack.org/v366/release.html

CC: (none) => qa-bugs
Keywords: advisory => (none)
Assignee: qa-bugs => geiger.david68210
Summary: nethack new security issue(s) fixed upstream in 3.6.5 => nethack new security issue(s) fixed upstream in 3.6.6

Comment 5 David GEIGER 2020-03-20 08:43:11 CET
Done for both Cauldron and mga7!
Comment 6 David Walser 2020-03-20 13:52:10 CET
Advisory:
========================

Updated nethack packages fix security vulnerabilities:

NetHack 3.6.x before 3.6.4 is prone to a buffer overflow vulnerability when
reading very long lines from configuration files. This affects systems that
have NetHack installed suid/sgid, and shared systems that allow users to
upload their own configuration files (CVE-2019-19905).

In NetHack before 3.6.5, unknown options starting with -de and -i can cause a
buffer overflow resulting in a crash or remote code execution/privilege
escalation. This vulnerability affects systems that have NetHack installed
suid/sgid and shared systems that allow users to influence command line
options (CVE-2020-5209).

In NetHack before 3.6.5, an invalid argument to the -w command line option can
cause a buffer overflow resulting in a crash or remote code
execution/privilege escalation. This vulnerability affects systems that have
NetHack installed suid/sgid and shared systems that allow users to influence
command line options (CVE-2020-5210).

In NetHack before 3.6.5, an invalid extended command in value for the
AUTOCOMPLETE configuration file option can cause a buffer overflow resulting
in a crash or remote code execution/privilege escalation. This vulnerability
affects systems that have NetHack installed suid/sgid and shared systems that
allow users to upload their own configuration files (CVE-2020-5211).

In NetHack before 3.6.5, an extremely long value for the MENUCOLOR
configuration file option can cause a buffer overflow resulting in a crash or
remote code execution/privilege escalation. This vulnerability affects
systems that have NetHack installed suid/sgid and shared systems that allow
users to upload their own configuration files (CVE-2020-5212).

In NetHack before 3.6.5, too long of a value for the SYMBOL configuration
file option can cause a buffer overflow resulting in a crash or remote code
execution/privilege escalation. This vulnerability affects systems that have
NetHack installed suid/sgid and shared systems that allow users to upload
their own configuration files (CVE-2020-5213).

In NetHack before 3.6.5, detecting an unknown configuration file option can
cause a buffer overflow resulting in a crash or remote code
execution/privilege escalation. This vulnerability affects systems that have
NetHack installed suid/sgid and shared systems that allow users to upload
their own configuration files (CVE-2020-5214).

In NetHack before 3.6.6, some out-of-bound values for the hilite_status
option can be exploited (CVE-2020-5254).

The nethack package has been updated to version 3.6.6, fixing these issues and
other bugs.  See the upstream release notes for details.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19905
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5209
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5210
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5211
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5212
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5213
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5214
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5254
https://www.nethack.org/security/CVE-2019-19905.html
https://www.nethack.org/security/CVE-2020-5209.html
https://www.nethack.org/security/CVE-2020-5210.html
https://www.nethack.org/security/CVE-2020-5211.html
https://www.nethack.org/security/CVE-2020-5212.html
https://www.nethack.org/security/CVE-2020-5213.html
https://www.nethack.org/security/CVE-2020-5214.html
https://www.nethack.org/security/CVE-2020-5254.html
https://nethack.org/v362/release.html
https://nethack.org/v363/release.html
https://nethack.org/v364/release.html
https://nethack.org/v365/release.html
https://nethack.org/v366/release.html
========================

Updated packages in core/updates_testing:
========================
nethack-3.6.6-1.mga7
nethack-bitmap-fonts-3.6.6-1.mga7
nethack-bitmap-fonts-core-3.6.6-1.mga7

from nethack-3.6.6-1.mga7.src.rpm

CC: qa-bugs => (none)
Assignee: geiger.david68210 => qa-bugs

Comment 7 Herman Viaene 2020-03-21 14:14:46 CET
This version behaves exactly the same as the 3.6.5 in Comment 3.

Note You need to log in before you can comment on or make changes to this bug.