Bug 1789078 (CVE-2019-19905)

Summary: CVE-2019-19905 nethack: buffer overflow when reading very long lines from configuration files
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: lewk, me, tachoknight
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-01-08 18:20:35 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1789079, 1789080    
Bug Blocks:    

Description Guilherme de Almeida Suckevicz 2020-01-08 17:05:59 UTC 
NetHack 3.6.x before 3.6.4 is prone to a buffer overflow vulnerability when reading very long lines from configuration files. This affects systems that have NetHack installed suid/sgid, and shared systems that allow users to upload their own configuration files.

Reference:
https://github.com/NetHack/NetHack/security/advisories/GHSA-3cm7-rgh5-9pq5

Upstream commits:
https://github.com/NetHack/NetHack/commit/f001de79542b8c38b1f8e6d7eaefbbd28ab94b47
https://github.com/NetHack/NetHack/commit/f4a840a48f4bcf11757b3d859e9d53cc9d5ef226
Comment 1 Guilherme de Almeida Suckevicz 2020-01-08 17:06:54 UTC 
Created nethack tracking bugs for this issue:

Affects: epel-8 [bug 1789080]
Affects: fedora-all [bug 1789079]
Comment 2 Ron Olson 2020-01-08 17:27:20 UTC 
Way ahead of you; Nethack 3.6.4 is already available everywhere:

https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-2a808715f1
https://bodhi.fedoraproject.org/updates/FEDORA-2019-79b80b66d9
https://bodhi.fedoraproject.org/updates/FEDORA-2019-1090bd0af2
https://bodhi.fedoraproject.org/updates/FEDORA-2019-b0a5f3ab5d

Is there something more that needs to be done, or can all these tickets be closed?
Comment 3 Guilherme de Almeida Suckevicz 2020-01-08 17:51:23 UTC 
In reply to comment #2:
> Way ahead of you; Nethack 3.6.4 is already available everywhere:
> 
> https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-2a808715f1
> https://bodhi.fedoraproject.org/updates/FEDORA-2019-79b80b66d9
> https://bodhi.fedoraproject.org/updates/FEDORA-2019-1090bd0af2
> https://bodhi.fedoraproject.org/updates/FEDORA-2019-b0a5f3ab5d
> 
> Is there something more that needs to be done, or can all these tickets be
> closed?

Thank you for letting me know that! The tickets can be closed.