Recently, a security issue affecting shared installations of nethack 3.4.0 where the game was installed setuid or setgid was discovered. This bug has now been fixed. This issue was reported to bugtraq by tsao_4sh0at_private on 2/8/03 as "Subject: #!ICadv-02.09.03: nethack 3.4.0 local buffer overflow". That report referred specifically to a Linux RPM not created by the devteam. However, the bug existed in the official nethack source as well. Solutions: 1) The nethack 3.4.1 patch release, which was released on 2/23/2003, includes a fix for this issue. The 3.4.1 version can be downloaded from http://nethack.sourceforge.net/v341/downloads.html Source and pre-built binaries for many platforms are available. Additional information on 3.4.1 can be found at http://nethack.sourceforge.net/v341/release.html 2) If upgrading to 3.4.1 is not desired, a patch can be applied to the 3.4.0 source. The patch is available at http://nethack.sourceforge.net/v340/bugmore/secpatch.txt Contact: Security issues in nethack can be reported to devteamat_private or by using the e-mail form at http://nethack.sourceforge.net/common/contact.html Dave Cohrs for the Nethack Development Team
This archive was generated by hypermail 2b30 : Sun Mar 02 2003 - 14:28:03 PST