from the remote-code-execution-is-part-of-the-challenge dept.
A new version of the venerable roguelike game NetHack has been released. This release is primarily a security release:
NetHack 3.6.5 is the official release of NetHack that follows NetHack 3.6.4.
This release primarily corrects security issues present in NetHack versions 3.6.0, 3.6.1, 3.6.2, 3.6.3 and 3.6.4. For details about the security issues please see https://www.nethack.org/security.
You are encouraged to update to NetHack 3.6.5 as soon as possible.
Quoth Wikipedia:
NetHack is a single-player roguelike video game originally released in 1987 with ASCII graphics. It is a descendant of an earlier game called Hack (1982), which is a clone of Rogue (1980). Comparing it with Rogue, Engadget's Justin Olivetti wrote that it took its exploration aspect and "made it far richer with an encyclopedia of objects, a larger vocabulary, a wealth of pop culture mentions, and a puzzler's attitude." In 2000, Salon described it as "one of the finest gaming experiences the computing world has to offer".
For those who have not played it yet, I encourage you to play it a few dozen times. You will die. A lot.
(Score: 2) by Mer on Wednesday January 29 2020, @01:26PM (4 children)
So this mostly for the telnet version. I do see some bugfixes but it seems like the standalone version is fine.
Shut up!, he explained.
(Score: 2) by Immerman on Wednesday January 29 2020, @04:58PM (2 children)
Oh? I didn't see anything about telnet, sounds like the security stuff was mostly buffer overflow problems that could be triggered by malicious save or config files .
Also, telnet? Is nethack multiplayer then? I don't think I've ever actually played it.
(Score: 1) by dioxide on Wednesday January 29 2020, @07:11PM
Telnet as in playing on an shared or otherwise multiuser server. Your interaction with other players is only through bones files, ie running into their ghosts or finding their lost gear.
These bugs should not be an issue for single user systems.
(Score: 2) by Webweasel on Thursday January 30 2020, @12:21PM
nethack.alt.org
Its not multiplayer, but you can watch other people play in real time.
Priyom.org Number stations, Russian Military radio. "You are a bad, bad man. Do you have any other virtues?"-Runaway1956
(Score: 2) by Gaaark on Wednesday January 29 2020, @09:53PM
Love the sig: seems very Trumpy!
Seriously: it's what he does constantly.
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 4, Interesting) by VLM on Wednesday January 29 2020, @01:39PM (6 children)
Sounded familiar; google found that around the turn of the century 3.4.0 had a local buffer overflow with a simple exploit that could drop a shell, more or less the same class of problem.
The idea of having a shared high score database is a good one. Unfortunately trying to implement your own shared database is about as dangerous as trying to implement your own crypto functions, and seems to inevitably have the same result. In 1990 writing your own shared multiuser database was "cute" and save disk and memory back when a 40 meg IDE was pretty cutting edge and I was using 5 megs of ram (four sticks of 256K, four sticks of 1M). In 2020 you install mysql and call it good.
I do wonder in 2020 how many internet accessible public multi user shared shell account providers exist. Can't priv-esc if no one can get in to begin with except the guy who already has both physical access, permission (from himself) and root anyway. I believe amazon AWS t2.micro instances are below $10/month now. Technically you don't need to have your personal nethack server powered up 24x7, only need it when you're online, so it would be vastly cheaper. Meanwhile for you legacy hardware people, a raspi zero, if you can get one, in theory costs $5, and an idle pi zero draws about a third of a watt so at the usual $1 per watt-year leaving a pi booted up and running 24x7 would cost about 33 cents per year.
If you're gonna play less than three hundred or so hours, its cheaper to pay as you go on AWS, and over three hundred hours its cheaper to buy a pi of your own. Of course hardware is more expensive, because I left out buying a flash card, replacing it annually or so when the OS kills it by endless writing, most people buy a case for their pi, in theory you might not have a pi compatible USB power source (how?) whereas AWS is all inclusive resort pricing. Still somewhere around maybe a thousand hours played, its cheaper to buy your own hardware.
(Score: 5, Informative) by maxwell demon on Wednesday January 29 2020, @02:34PM
Of course the cheapest way is to go to an existing nethack server that lets you play for free. [alt.org]
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by mhajicek on Wednesday January 29 2020, @03:54PM (4 children)
I'm partial to Moria myself.
The spacelike surfaces of time foliations can have a cusp at the surface of discontinuity. - P. Hajicek
(Score: 0) by Anonymous Coward on Wednesday January 29 2020, @09:30PM (2 children)
Can you still get that code? I think back to some of those games I played on the mainframes like that, and netrek(?) and others. Boy those were lots of fun. I'm pretty sure I have forgotten most of what was available, but the nettrek (is it two "t"'s?) blew me away because it was online multiplayer. I never got any good at it, and the sysadmin guys who basically played it all day went around and blew up the newbies like me, but it was still a lot of fun.
(Score: 1) by RandomFactor on Wednesday January 29 2020, @10:09PM
Empire.
Ascii game, took hours to play. Later they colorized it.
В «Правде» нет известий, в «Известиях» нет правды
(Score: 2, Informative) by RandomFactor on Wednesday January 29 2020, @10:12PM
https://www.myabandonware.com/game/moria-27f [myabandonware.com]
Looks like you can still find it
В «Правде» нет известий, в «Известиях» нет правды
(Score: 2) by bzipitidoo on Wednesday January 29 2020, @10:27PM
I played Beneath Apple Manor back in the day.
(Score: 4, Funny) by ikanreed on Wednesday January 29 2020, @03:12PM (1 child)
Downmods can't cross the subject line. That's the rules.
(Score: 4, Funny) by Thexalon on Wednesday January 29 2020, @03:35PM
Just be careful not to move, unless you engraved it with a wand or athame.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 3, Touché) by Runaway1956 on Wednesday January 29 2020, @06:05PM
:^)