CVE-2023-24809: 
NixOS vulnerability analysis and mitigation

NetHack, a single player dungeon exploration game, was found to contain a buffer overflow vulnerability in versions 3.6.2 through 3.6.6. The vulnerability was discovered on January 1, 2023, and was patched with the release of version 3.6.7 on February 16, 2023. The issue occurs when using the 'C' (call) command with illegal input, which can cause a buffer overflow and crash the NetHack process (NetHack Advisory, GitHub Advisory).

The vulnerability is classified as a Buffer Copy without Checking Size of Input (Classic Buffer Overflow) under CWE-120. It received a CVSS v3.1 base score of 5.5 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. For multiuser installations, the CVSS temporal score is rated at 6.5 (Medium) with vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:R, while single-user installations receive a lower score of 3.3 (Low) (GitHub Advisory).

The vulnerability's impact varies depending on the installation type. For systems with NetHack installed with suid/sgid privileges and shared systems, it presents a significant security risk. In all cases, the vulnerability can result in a process crash. The severity is rated as High due to potential impacts on system integrity and availability (NetHack Advisory).

The vulnerability has been patched in NetHack version 3.6.7. No workarounds are available for affected versions, and users are strongly encouraged to upgrade to version 3.6.7 as soon as possible (NetHack Advisory).