Please do not reply directly to this email. All additional comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=187353
--- Comment #15 from Luke Macken lmacken@redhat.com 2009-03-15 16:42:19 EDT --- Reply from nethack upstream about this issue, and the potential rumour that it has been fixed upstream.
"""
Someone in the Gentoo community mentioned a while back that the dev team had patched the buffer overflow.
We could probably extract the relevant changes, but I don't think that you actually need them. The real security bug is being caused by gentoo's policy of giving users full access to the same group as nethack's setgid setting. They shot themselves in the foot here, by allowing users to modify the score file outside of nethack. The lax buffer handling has been (or will be, from a 3.4.3 perspective...) fixed, but it is not exploitable in a standard installation where nethack runs in a group whose files can't be manipulated by arbitrary users.
I assume that redhat/fedora doesn't have the same config issue as gentoo. If I'm wrong, then you should change nethack to run in a distinct group rather than--or in addition to-- patching its score file parsing code. """
+1 for closing this bug :)
security@lists.fedoraproject.org