Headline
CVE-2023-24809: NetHack Call command buffer overflow
NetHack is a single player dungeon exploration game. Starting with version 3.6.2 and prior to version 3.6.7, illegal input to the “C” (call) command can cause a buffer overflow and crash the NetHack process. This vulnerability may be a security issue for systems that have NetHack installed suid/sgid and for shared systems. For all systems, it may result in a process crash. This issue is resolved in NetHack 3.6.7. There are no known workarounds.
Impact
Illegal input to the “C” (call) command can crash the NetHack process.
CVSS including Temporal Score
For a multiuser installation: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:R (6.5 Medium)
For a single user installation: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L (3.3 Low)
Patches
This issue is resolved in NetHack 3.6.7.
Workarounds
None.
Additional information, if any, will be made available at https://nethack.org/security.
For more information
If you have any questions or comments about this advisory:
- Submit our contact form at https://nethack.org/common/contact.html
- Email us at [email protected]