{"id":"CVE-2019-19905","details":"NetHack 3.6.x before 3.6.4 is prone to a buffer overflow vulnerability when reading very long lines from configuration files. This affects systems that have NetHack installed suid/sgid, and shared systems that allow users to upload their own configuration files.","aliases":["GHSA-3cm7-rgh5-9pq5"],"modified":"2026-05-18T14:17:11.565517Z","published":"2019-12-19T18:15:12.647Z","references":[{"type":"ADVISORY","url":"https://github.com/NetHack/NetHack/security/advisories/GHSA-3cm7-rgh5-9pq5"},{"type":"ADVISORY","url":"https://nethack.org/security/"},{"type":"FIX","url":"https://bugs.debian.org/947005"},{"type":"FIX","url":"https://github.com/NetHack/NetHack/commit/f001de79542b8c38b1f8e6d7eaefbbd28ab94b47"},{"type":"FIX","url":"https://github.com/NetHack/NetHack/commit/f4a840a48f4bcf11757b3d859e9d53cc9d5ef226"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/nethack/nethack","events":[{"introduced":"585e9f1b35fda7b47f8d27d12f7e93e12a69a7bc"},{"fixed":"cf9e92677a18d1bc66c040068b2e666c651c7522"},{"fixed":"f001de79542b8c38b1f8e6d7eaefbbd28ab94b47"},{"fixed":"f4a840a48f4bcf11757b3d859e9d53cc9d5ef226"}],"database_specific":{"extracted_events":[{"introduced":"3.6.0"},{"fixed":"3.6.4"}],"source":["CPE_FIELD","REFERENCES"],"cpe":"cpe:2.3:a:nethack:nethack:*:*:*:*:*:*:*:*"}}],"versions":["NetHack-3.6.3_Released","NetHack-3.6.3.beta1.2019.11.17","NetHack-3.6.3.wip.2019.10.30","v3.6.3.wip.2019.10.29","NetHack-3.6.3.wip.2019.10.29","v3.6.3.757eca7","NetHack-3.6.3_WIP","NetHack-3.6.2_Released","NetHack-3.6.2_Release","NetHack-3.6.1_Release","NetHack-3.6.1_RC01","NetHack-3.6.0_Release","NetHack-3.6.0_RC05"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-19905.json","vanir_signatures":[{"signature_type":"Line","deprecated":false,"target":{"file":"src/files.c"},"signature_version":"v1","id":"CVE-2019-19905-070f9c1f","digest":{"line_hashes":["26961400313376108429921987578640899328","13198010897084917927445134827763789871","301660297847314158906968785346061189430","305364512567948852253197631201114623342","48135041025568776608930142938556586751","35228986595259396408271638364536354873","311424731610931539670844446726701228163","336997739704092229153841976868564076325","1897609516785154338923294080487339007","332372284303631247813861771839214444055","66159801133062218642847150427360569172","54546970892710300408899295710613259856","333388130237199819552198483958670175399","50946443806047556472667632790487523973","250727457770103261683033760717612742717","128182379615074142482727040696954110008","144408160085640486571022953468062618191","290501057356310795772825502409823155585","290992863102276924145757132850038097533","153150961289152042704493088656653711974","279795543691468206954057611899987833889","196077983847699537571137104472712850511","332452378490572381286775884918331708236","310287622283507457521787993113238323308","314529546056484968251247494416024801154","206339289586190838729620367865181311779","227602963386412199398419533756630284218","196805195529654038130795328704152591388","234860307265135649672215421452423321552","11094941029869456702831502437266640204","26139496897707473188171585183791514733","257014659270557530224795810044454823939","174063909781570399675394002348367771042","100692113801815488445166711921157125232","77659063208283810219549991776486221903","52823446101815831710242094852588069347"],"threshold":0.9},"source":"https://github.com/nethack/nethack/commit/f4a840a48f4bcf11757b3d859e9d53cc9d5ef226"}],"vanir_signatures_modified":"2026-05-18T14:17:11Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}