Subject: CVS commit: pkgsrc/games
From: Olaf Seibert
Date: 2020-01-28 22:11:30
Message id: 20200128211131.0B764FBF4@cvs.NetBSD.org
Log Message:
games/nethack: update to 3.6.5.

The NetHack DevTeam is announcing the release of NetHack 3.6.5 on January 27,
2020

NetHack 3.6.5 is the official release of NetHack that follows NetHack 3.6.4.

This release primarily corrects security issues present in NetHack versions
3.6.0, 3.6.1, 3.6.2, 3.6.3 and 3.6.4.

CVE-2020-5214	Error recovery after syntax error in configuration file is
                subject to a buffer overflow
CVE-2020-5213	SYMBOL configuration file option is subject to a buffer overflow
CVE-2020-5212	MENUCOLOR configuration file option is subject to a buffer
                overflow
CVE-2020-5211	AUTOCOMPLETE configuration file option is subject to a buffer
                overflow
CVE-2020-5210	NetHack command line -w option parsing is subject to a buffer
                overflow
CVE-2020-5209	Command line parsing of options starting with -de and -i is
                subject to a buffer overflow
CVE-2019-19905	Privilege escalation/remote code execution/crash in
                configuration parsing

You are encouraged to update to NetHack 3.6.5 as soon as possible.

Here's a brief synopsis of the handful of bug fixes included in NetHack 3.6.5:

    fix accessing mons[-1] when trying to gate in a non-valid demon
    fix accessing mons[-1] when monster figures out if a tin cures stoning
    have string_for_opt() return empty_optstr on failure
    ensure existing callers of string_for_opt() check return value
      before using it
    fix potential buffer overflow in add_menu_coloring()
    fix potential buffer overflow in sym_val()
    fix potential buffer overflow in pline(), raw_printf(), and
      config_error_add()
    fix potential buffer overflow in choose_windows()
    use vsnprintf instead of vsprintf in pline.c where possible
    Windows: includes a fix from a 3.6.4 post-release update where
      OPTIONS=map_mode:fit_to_screen could cause a game start failure
    Windows: users with C-locale unmappable names could get game start failure

All of the fixes have been incrementally published on the public Git
repository for the game. A more complete list can be found in the game's
sources in doc/fixes36.5. As usual, a warning that some entries in that
file may also be "spoilers".

Existing saved games and bones files from 3.6.0 through to 3.6.4 should
work with 3.6.5, assuming that the same build configuration options were
used.
Files:
RevisionActionfile
1.34modifypkgsrc/games/nethack-lib/Makefile
1.42modifypkgsrc/games/nethack-lib/Makefile.common
1.26modifypkgsrc/games/nethack-lib/distinfo
1.41modifypkgsrc/games/nethack-x11/Makefile