Candidate: CVE-2020-5209
PublicDate: 2020-01-28 18:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5209
 https://github.com/NetHack/NetHack/security/advisories/GHSA-fw72-r8xm-45p8
 https://github.com/NetHack/NetHack/commit/f3def5c0b999478da2d0a8f0b6a7c370a2065f77
Description:
 In NetHack before 3.6.5, unknown options starting with -de and -i can cause
 a buffer overflow resulting in a crash or remote code execution/privilege
 escalation. This vulnerability affects systems that have NetHack installed
 suid/sgid and shared systems that allow users to influence command line
 options. Users should upgrade to NetHack 3.6.5.
Ubuntu-Description:
Notes:
 msalvatore> Nethack is installed sgid games, but not suid or sgid root.
Mitigation:
Bugs:
Priority: low
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H [7.8 HIGH]


Patches_nethack:
upstream_nethack: released (2.6.5)
precise/esm_nethack: DNE
trusty_nethack: ignored (out of standard support)
trusty/esm_nethack: DNE
xenial_nethack: ignored (end of standard support, was needs-triage)
bionic_nethack: needs-triage
eoan_nethack: ignored (reached end-of-life)
focal_nethack: needs-triage
groovy_nethack: not-affected (3.6.6-1)
hirsute_nethack: not-affected (3.6.6-1)
impish_nethack: not-affected (3.6.6-1)
jammy_nethack: not-affected (3.6.6-1)
devel_nethack: not-affected (3.6.6-1)