Your message dated Sun, 31 May 2020 17:49:17 +0000 with message-id <e1jfs5f-000h03...@fasolo.debian.org> and subject line Bug#947005: fixed in nethack 3.6.6-1 has caused the Debian Bug report #947005, regarding nethack: CVE-2019-19905: buffer overflow when parsing config files to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 947005: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947005 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: nethack Version: 3.6.0-1 Severity: grave Tags: security X-Debbugs-Cc: t...@security.debian.org Hi, a new version of NetHack has been released that fixes a privilege escalation issue introduced in 3.6.0 [0] [1]: > A buffer overflow issue exists when reading very long lines from a > NetHack configuration file (usually named .nethackrc). > > This vulnerability affects systems that have NetHack installed suid/sgid > and shared systems that allow users to upload their own configuration > files. > > All users are urged to upgrade to NetHack 3.6.4 as soon as possible. As the Debian packages ship setgid binaries, I think they are affected by it. At least these two commits look related: https://github.com/NetHack/NetHack/commit/f4a840a https://github.com/NetHack/NetHack/commit/f001de7 Regards, Reiner [0] https://nethack.org/security/index.html [1] https://nethack.org/v364/release.html
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---Source: nethack Source-Version: 3.6.6-1 Done: Markus Koschany <a...@debian.org> We believe that the bug you reported is fixed in the latest version of nethack, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 947...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Markus Koschany <a...@debian.org> (supplier of updated nethack package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 31 May 2020 18:57:45 +0200 Source: nethack Architecture: source Version: 3.6.6-1 Distribution: unstable Urgency: medium Maintainer: Debian Games Team <pkg-games-de...@lists.alioth.debian.org> Changed-By: Markus Koschany <a...@debian.org> Closes: 947005 953978 957598 Changes: nethack (3.6.6-1) unstable; urgency=medium . * Team upload. . [ Reiner Herrmann ] * Update watch file. The sourceforge page seem to be no longer kept up-to-date. Use the official site instead, but mangle the page a bit, to point to the correct tarball location. . [ Markus Koschany ] * New upstream version 3.6.6. - Fixes CVE-2020-5254, CVE-2020-5214, CVE-2020-5213, CVE-2020-5212, CVE-2020-5211, CVE-2020-5210, CVE-2020-5209 and CVE-2019-19905. (Closes: #947005, #953978) * Fixes FTBFS with GCC 10. (Closes: #957598) * Switch to debhelper-compat = 13 * Declare compliance with Debian Policy 4.5.0. * Drop u1-fix-H7138-sys-unix-setup.sh-fails-with-no-arguments.patch. Fixed upstream. * Rebase all patches for new version 3.6.6. * Remove all lisp patches. Broken and unmaintained with 3.6.6. Maintainers are welcome. nethack-lisp can be salvaged by fixing the errors on the lisp branch in Git. If they are not fixed before the bullseye release nethack-lisp will be removed. Checksums-Sha1: d5659ae7da59e1a9947f0b5fe0c4415f5a9deb6e 2433 nethack_3.6.6-1.dsc d425d447892157c2efa612e31d02a062e72040e2 5577633 nethack_3.6.6.orig.tar.gz 9752bd9177e6cb0cc0c216ccebc4ae81ee97a767 49608 nethack_3.6.6-1.debian.tar.xz 2d07c0841e16da9490db4a4e778fba460819f01d 8572 nethack_3.6.6-1_amd64.buildinfo Checksums-Sha256: 0fe55067dbd878615c1f4b04a3d1898a452fb306b205baac8e7d0f1c1bee0367 2433 nethack_3.6.6-1.dsc cfde0c3ab6dd7c22ae82e1e5a59ab80152304eb23fb06e3129439271e5643ed2 5577633 nethack_3.6.6.orig.tar.gz 92404b459d929698ab36729d15473b2f46e26a93f91ca7496a5c8bef7a885168 49608 nethack_3.6.6-1.debian.tar.xz 897ff26e28299e9ea3ae183f45e32f32833dfc8ea8b8137cf09ba7881719654b 8572 nethack_3.6.6-1_amd64.buildinfo Files: 841c989a12e22b427e480a0a2bea2d58 2433 games optional nethack_3.6.6-1.dsc 6c9a75f556d24c66801d74d8727a602e 5577633 games optional nethack_3.6.6.orig.tar.gz 9df770eba517625b38eac596bee1fcb5 49608 games optional nethack_3.6.6-1.debian.tar.xz 606470a4fa6b304b8151655572dde74b 8572 games optional nethack_3.6.6-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAl7T58pfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1HkbAQP/3G4YIhonS0Brk3xJxVZn6V53z7GVVleWInq ijn0+8IsGzEoUoBDTJJ101tAZOcQ2JOY8ZmNWOE163mPq0uiKyxv+kbD54SpGlBX hsjX5GhA5U7Rl3Oi+84Oe1TF3js3bjKAGLH2XyO7W7m7uHktFj6J6okNs6uqElDa HWo7g0wEDfZn9yFvE7VwN9i3O/Jm7m/3lWa1RrEXTalCZfLhQjvHC8ehb+pqep3/ E90hCofATv6SvuHfvBr84KxcmbruAtn3UDtrwkRcrJNeghdIgbv9cLqov6+AY/NO JOwzvkxKFOUxkScG6wy0IV08gCNXnKabRJxLFnr1SRM6OSZA+w0Ghx7F8bLavZqR 5/sRTPQq0toS/AuU3KNx7DzN1SfO6Bma5hXkHEOdWeqFAx3oJDZP8OtIHqSuyl5m 4U8Cbrb8PaK4xCuiEZEiXHKO+qYaq5yPuAdRztirL7k7l/fNyz7YeLqA8uq/8tMb QK6aJwmHozV+aWjfT3ROHBwLfl/bZgazUOGYRsTN9EIwY5ub1axKaAhI7OcXHMid cgg2Zvhy2rkHovjnucc9eP1D7KG52sGfzawm6wAxjIb6OMz1kzUyeKwgy9ePb/yJ zh+5kJbPwP6NXYr6PlyfEuRG3WtKJT5gumqRGaF0NUcf3Qw/DruPuFkg2NPUMmOv GaufLwso =ArIg -----END PGP SIGNATURE-----
--- End Message ---
