A vulnerability classified as critical was found in NetHack up to 3.6.4. This vulnerability affects an unknown functionality of the component Configuration Handler. The manipulation as part of a Configuration File leads to a buffer overflow vulnerability. The CWE definition for the vulnerability is CWE-120. The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow. As an impact it is known to affect confidentiality, integrity, and availability. CVE summarizes:

In NetHack before 3.6.5, detecting an unknown configuration file option can cause a buffer overflow resulting in a crash or remote code execution/privilege escalation. This vulnerability affects systems that have NetHack installed suid/sgid and shared systems that allow users to upload their own configuration files. Users should upgrade to NetHack 3.6.5.

The weakness was published 01/28/2020 (GitHub Repository). The advisory is shared for download at github.com. This vulnerability was named CVE-2020-5214. The attack needs to be approached locally. The successful exploitation needs a single authentication. Successful exploitation requires user interaction by the victim. There are neither technical details nor an exploit publicly available.

Upgrading to version 3.6.5 eliminates this vulnerability.

Productinfo

Name

• NetHack

Version

• 3.6.0
• 3.6.1
• 3.6.2
• 3.6.3
• 3.6.4

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion