CVE-2019-19905

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2019-19905
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-19905.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2019-19905
Downstream
Related
Published
2019-12-19T18:15:12.647Z
Modified
2025-11-14T09:32:18.288743Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

NetHack 3.6.x before 3.6.4 is prone to a buffer overflow vulnerability when reading very long lines from configuration files. This affects systems that have NetHack installed suid/sgid, and shared systems that allow users to upload their own configuration files.

References

Affected packages

Git / github.com/nethack/nethack

Affected ranges

Type
GIT
Repo
https://github.com/nethack/nethack
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
f001de79542b8c38b1f8e6d7eaefbbd28ab94b47
Fixed
f4a840a48f4bcf11757b3d859e9d53cc9d5ef226

Affected versions

Other

MOVE2GIT

NetHack-3.*

NetHack-3.6.0_RC01
NetHack-3.6.0_RC02
NetHack-3.6.0_RC03
NetHack-3.6.0_RC04
NetHack-3.6.0_RC05
NetHack-3.6.0_Release
NetHack-3.6.1_RC01
NetHack-3.6.1_Release
NetHack-3.6.2_Release
NetHack-3.6.2_Released
NetHack-3.6.3.beta1.2019.11.17
NetHack-3.6.3.wip.2019.10.29
NetHack-3.6.3.wip.2019.10.30
NetHack-3.6.3.wip.2019.11.04
NetHack-3.6.3_Released
NetHack-3.6.3_WIP

v3.*

v3.6.3.757eca7
v3.6.3.wip.2019.10.29

Database specific

vanir_signatures

[
    {
        "signature_version": "v1",
        "source": "https://github.com/nethack/nethack/commit/f4a840a48f4bcf11757b3d859e9d53cc9d5ef226",
        "signature_type": "Line",
        "id": "CVE-2019-19905-070f9c1f",
        "target": {
            "file": "src/files.c"
        },
        "digest": {
            "line_hashes": [
                "26961400313376108429921987578640899328",
                "13198010897084917927445134827763789871",
                "301660297847314158906968785346061189430",
                "305364512567948852253197631201114623342",
                "48135041025568776608930142938556586751",
                "35228986595259396408271638364536354873",
                "311424731610931539670844446726701228163",
                "336997739704092229153841976868564076325",
                "1897609516785154338923294080487339007",
                "332372284303631247813861771839214444055",
                "66159801133062218642847150427360569172",
                "54546970892710300408899295710613259856",
                "333388130237199819552198483958670175399",
                "50946443806047556472667632790487523973",
                "250727457770103261683033760717612742717",
                "128182379615074142482727040696954110008",
                "144408160085640486571022953468062618191",
                "290501057356310795772825502409823155585",
                "290992863102276924145757132850038097533",
                "153150961289152042704493088656653711974",
                "279795543691468206954057611899987833889",
                "196077983847699537571137104472712850511",
                "332452378490572381286775884918331708236",
                "310287622283507457521787993113238323308",
                "314529546056484968251247494416024801154",
                "206339289586190838729620367865181311779",
                "227602963386412199398419533756630284218",
                "196805195529654038130795328704152591388",
                "234860307265135649672215421452423321552",
                "11094941029869456702831502437266640204",
                "26139496897707473188171585183791514733",
                "257014659270557530224795810044454823939",
                "174063909781570399675394002348367771042",
                "100692113801815488445166711921157125232",
                "77659063208283810219549991776486221903",
                "52823446101815831710242094852588069347"
            ],
            "threshold": 0.9
        },
        "deprecated": false
    }
]