Bug 26228 - nethack new security issue(s) fixed upstream in 3.6.6
Summary: nethack new security issue(s) fixed upstream in 3.6.6
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: Shlomi Fish
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-02-20 22:07 CET by David Walser
Modified: 2020-08-02 08:29 CEST (History)
6 users (show)

See Also:
Source RPM: nethack-3.6.1-1.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2020-02-20 22:07:21 CET
Fedora has issued an advisory on February 8:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/VDMTLPNMUSRGT7QWFBGZW3OWHG3BCBOF/

It doesn't specify the security issue(s) fixed in 3.6.5.
David Walser 2020-02-21 17:53:25 CET

Status comment: (none) => Fixed upstream in 3.6.5

Comment 1 David GEIGER 2020-02-22 05:33:26 CET
Done for mga7!

CC: (none) => geiger.david68210

Comment 2 David Walser 2020-02-22 06:08:36 CET
Advisory:
========================

Updated nethack packages fix security vulnerabilities:

NetHack 3.6.x before 3.6.4 is prone to a buffer overflow vulnerability when
reading very long lines from configuration files. This affects systems that
have NetHack installed suid/sgid, and shared systems that allow users to
upload their own configuration files (CVE-2019-19905).

In NetHack before 3.6.5, unknown options starting with -de and -i can cause a
buffer overflow resulting in a crash or remote code execution/privilege
escalation. This vulnerability affects systems that have NetHack installed
suid/sgid and shared systems that allow users to influence command line
options (CVE-2020-5209).

In NetHack before 3.6.5, an invalid argument to the -w command line option can
cause a buffer overflow resulting in a crash or remote code
execution/privilege escalation. This vulnerability affects systems that have
NetHack installed suid/sgid and shared systems that allow users to influence
command line options (CVE-2020-5210).

In NetHack before 3.6.5, an invalid extended command in value for the
AUTOCOMPLETE configuration file option can cause a buffer overflow resulting
in a crash or remote code execution/privilege escalation. This vulnerability
affects systems that have NetHack installed suid/sgid and shared systems that
allow users to upload their own configuration files (CVE-2020-5211).

In NetHack before 3.6.5, an extremely long value for the MENUCOLOR
configuration file option can cause a buffer overflow resulting in a crash or
remote code execution/privilege escalation. This vulnerability affects
systems that have NetHack installed suid/sgid and shared systems that allow
users to upload their own configuration files (CVE-2020-5212).

In NetHack before 3.6.5, too long of a value for the SYMBOL configuration
file option can cause a buffer overflow resulting in a crash or remote code
execution/privilege escalation. This vulnerability affects systems that have
NetHack installed suid/sgid and shared systems that allow users to upload
their own configuration files (CVE-2020-5213).

In NetHack before 3.6.5, detecting an unknown configuration file option can
cause a buffer overflow resulting in a crash or remote code
execution/privilege escalation. This vulnerability affects systems that have
NetHack installed suid/sgid and shared systems that allow users to upload
their own configuration files (CVE-2020-5214).

The nethack package has been updated to version 3.6.5, fixing these issues and
other bugs.  See the upstream release notes for details.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19905
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5209
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5210
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5211
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5212
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5213
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5214
https://www.nethack.org/security/CVE-2019-19905.html
https://www.nethack.org/security/CVE-2020-5209.html
https://www.nethack.org/security/CVE-2020-5210.html
https://www.nethack.org/security/CVE-2020-5211.html
https://www.nethack.org/security/CVE-2020-5212.html
https://www.nethack.org/security/CVE-2020-5213.html
https://www.nethack.org/security/CVE-2020-5214.html
https://nethack.org/v362/release.html
https://nethack.org/v363/release.html
https://nethack.org/v364/release.html
https://nethack.org/v365/release.html
========================

Updated packages in core/updates_testing:
========================
nethack-3.6.5-1.mga7
nethack-bitmap-fonts-3.6.5-1.mga7
nethack-bitmap-fonts-core-3.6.5-1.mga7


from nethack-3.6.5-1.mga7.src.rpm

Assignee: shlomif => qa-bugs
Status comment: Fixed upstream in 3.6.5 => (none)

Comment 3 Herman Viaene 2020-02-24 14:16:45 CET
MGA7-64 Plasma on Lenovo B50
No apparent installation issues, but
$ nethack
Warning: cannot write scoreboard file '/var/games/nethack/record'
Unable to open SYSCF_FILE.

Checked:the /var/games/ folder is empty. Checked in MCC the contents of the packages :none of them contain anything in /var, and what is more: the flilelist of nethack-bitmap-fonts-core-3.6.5-1.mga7 is empty????

CC: (none) => herman.viaene

Thomas Backlund 2020-03-06 22:52:09 CET

CC: (none) => tmb
Keywords: (none) => advisory

Comment 4 David Walser 2020-03-19 15:01:43 CET
Fedora has issued an advisory on March 19:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/LYC5LEWKB2NA46IOI6GGAUMFK5SR3KQ6/

It fixes CVE-2020-5254, fixed upstream in 3.6.6:
https://www.nethack.org/security/CVE-2020-5254.html
https://nethack.org/v366/release.html

Assignee: qa-bugs => geiger.david68210
Summary: nethack new security issue(s) fixed upstream in 3.6.5 => nethack new security issue(s) fixed upstream in 3.6.6
Keywords: advisory => (none)
CC: (none) => qa-bugs

Comment 5 David GEIGER 2020-03-20 08:43:11 CET
Done for both Cauldron and mga7!
Comment 6 David Walser 2020-03-20 13:52:10 CET
Advisory:
========================

Updated nethack packages fix security vulnerabilities:

NetHack 3.6.x before 3.6.4 is prone to a buffer overflow vulnerability when
reading very long lines from configuration files. This affects systems that
have NetHack installed suid/sgid, and shared systems that allow users to
upload their own configuration files (CVE-2019-19905).

In NetHack before 3.6.5, unknown options starting with -de and -i can cause a
buffer overflow resulting in a crash or remote code execution/privilege
escalation. This vulnerability affects systems that have NetHack installed
suid/sgid and shared systems that allow users to influence command line
options (CVE-2020-5209).

In NetHack before 3.6.5, an invalid argument to the -w command line option can
cause a buffer overflow resulting in a crash or remote code
execution/privilege escalation. This vulnerability affects systems that have
NetHack installed suid/sgid and shared systems that allow users to influence
command line options (CVE-2020-5210).

In NetHack before 3.6.5, an invalid extended command in value for the
AUTOCOMPLETE configuration file option can cause a buffer overflow resulting
in a crash or remote code execution/privilege escalation. This vulnerability
affects systems that have NetHack installed suid/sgid and shared systems that
allow users to upload their own configuration files (CVE-2020-5211).

In NetHack before 3.6.5, an extremely long value for the MENUCOLOR
configuration file option can cause a buffer overflow resulting in a crash or
remote code execution/privilege escalation. This vulnerability affects
systems that have NetHack installed suid/sgid and shared systems that allow
users to upload their own configuration files (CVE-2020-5212).

In NetHack before 3.6.5, too long of a value for the SYMBOL configuration
file option can cause a buffer overflow resulting in a crash or remote code
execution/privilege escalation. This vulnerability affects systems that have
NetHack installed suid/sgid and shared systems that allow users to upload
their own configuration files (CVE-2020-5213).

In NetHack before 3.6.5, detecting an unknown configuration file option can
cause a buffer overflow resulting in a crash or remote code
execution/privilege escalation. This vulnerability affects systems that have
NetHack installed suid/sgid and shared systems that allow users to upload
their own configuration files (CVE-2020-5214).

In NetHack before 3.6.6, some out-of-bound values for the hilite_status
option can be exploited (CVE-2020-5254).

The nethack package has been updated to version 3.6.6, fixing these issues and
other bugs.  See the upstream release notes for details.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19905
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5209
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5210
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5211
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5212
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5213
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5214
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5254
https://www.nethack.org/security/CVE-2019-19905.html
https://www.nethack.org/security/CVE-2020-5209.html
https://www.nethack.org/security/CVE-2020-5210.html
https://www.nethack.org/security/CVE-2020-5211.html
https://www.nethack.org/security/CVE-2020-5212.html
https://www.nethack.org/security/CVE-2020-5213.html
https://www.nethack.org/security/CVE-2020-5214.html
https://www.nethack.org/security/CVE-2020-5254.html
https://nethack.org/v362/release.html
https://nethack.org/v363/release.html
https://nethack.org/v364/release.html
https://nethack.org/v365/release.html
https://nethack.org/v366/release.html
========================

Updated packages in core/updates_testing:
========================
nethack-3.6.6-1.mga7
nethack-bitmap-fonts-3.6.6-1.mga7
nethack-bitmap-fonts-core-3.6.6-1.mga7

from nethack-3.6.6-1.mga7.src.rpm

CC: qa-bugs => (none)
Assignee: geiger.david68210 => qa-bugs

Comment 7 Herman Viaene 2020-03-21 14:14:46 CET
This version behaves exactly the same as the 3.6.5 in Comment 3.
Thomas Backlund 2020-04-15 11:38:18 CEST

Keywords: (none) => advisory

Comment 8 Len Lawrence 2020-04-19 15:33:17 CEST
After installation some nethack fonts appear in /usr/share/fonts/nethack-bitmap and nethack appears in the system games menu.  Documentation is available, but that is as far as it goes; on launch something flashes up on the screen momentarily, literally for a split second, probably the logo, then nothing.  From the command-line it is just as Herman reports in comment 3.  Something is lacking.

CC: (none) => tarazed25

Comment 9 Dave Hodgins 2020-04-19 17:04:55 CEST
Permissions are a mess. To get it to run ...
# mkdir -p /var/games/nethack/record
# chgrp games /var/games/nethack
# chmod g+w /var/games/nethack
# chmod a+r /usr/games/lib/nethackdir/*
# touch /var/games/nethack/perm
# chmod g+rw /var/games/nethack/perm
After that, I was able to complete the first level, though after quiting there
were a couple of additional messages ...
Cannot open file /var/games/nethack/logfile.  Is NetHack installed correctly?
Cannot open file /var/games/nethack/xlogfile.  Is NetHack installed correctly?

My id is a member of the games group.

CC: (none) => davidwhodgins

Dave Hodgins 2020-04-19 17:05:26 CEST

Keywords: (none) => feedback

Comment 10 Len Lawrence 2020-04-19 20:17:38 CEST
Thanks for stepping in Dave.  Had to add games group to perm file before it would start.  Looks like it works after all that but could not play it on my 4K screen.  The field measured 23mmx13mm.  No way to enlarge it.  Had to use a hand-held video magnifier to recognize the little dog.
Comment 11 Dave Hodgins 2020-04-19 20:32:32 CEST
lol. Very long time since I played hack, or it's predecessor rogue. It still
seems to be based on the design for a cga monitor.
Comment 12 David Walser 2020-06-23 17:57:16 CEST
This package needs some work, apparently.  Assigning back to the maintainer.

CC: (none) => qa-bugs
Keywords: advisory, feedback => (none)
Assignee: qa-bugs => shlomif

Comment 13 Shlomi Fish 2020-07-24 17:21:37 CEST
(In reply to David Walser from comment #12)
> This package needs some work, apparently.  Assigning back to the maintainer.

Hi all!

I'd like to note that I prepared new source and binary packages of nethack in mageia cauldron/updates-testing. I basically made the package much closer to Fedora Rawhide's one ("imitation is the sincerest form of flattery"). This seems  to run fine, so please test it.
Comment 14 Shlomi Fish 2020-08-02 08:29:13 CEST
(In reply to Shlomi Fish from comment #13)
> (In reply to David Walser from comment #12)
> > This package needs some work, apparently.  Assigning back to the maintainer.
> 
> Hi all!
> 
> I'd like to note that I prepared new source and binary packages of nethack
> in mageia cauldron/updates-testing. I basically made the package much closer
> to Fedora Rawhide's one ("imitation is the sincerest form of flattery").
> This seems  to run fine, so please test it.

This was now pushed as 3.6.6-4 into cauldron core/release by "tv" and myself.

Note You need to log in before you can comment on or make changes to this bug.