92325 2003-03-02  23:28  /34 rader/  <devteam@nethack.org>
Importerad: 2003-03-02  23:28  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <3751>
Ärende: nethack C340-137: security issue fixed
------------------------------------------------------------
Recently, a security issue affecting shared installations of nethack
3.4.0 where the game was installed setuid or setgid was discovered.
This bug has now been fixed.

This issue was reported to bugtraq by tsao_4sh0@hushmail.com on
2/8/03 as "Subject: #!ICadv-02.09.03: nethack 3.4.0 local buffer
overflow".  That report referred specifically to a Linux RPM not
created by the devteam.  However, the bug existed in the official
nethack source as well.

Solutions:

1) The nethack 3.4.1 patch release, which was released on 2/23/2003,
includes a fix for this issue.  The 3.4.1 version can be downloaded
from

    http://nethack.sourceforge.net/v341/downloads.html

Source and pre-built binaries for many platforms are available.
Additional information on 3.4.1 can be found at

    http://nethack.sourceforge.net/v341/release.html

2) If upgrading to 3.4.1 is not desired, a patch can be applied
to the 3.4.0 source.  The patch is available at
    http://nethack.sourceforge.net/v340/bugmore/secpatch.txt

Contact:

Security issues in nethack can be reported to devteam@nethack.org
or by using the e-mail form at
    http://nethack.sourceforge.net/common/contact.html

Dave Cohrs
for the Nethack Development Team
(92325) / <devteam@nethack.org>/----------(Ombruten)