Candidate: CVE-2019-19905
PublicDate: 2019-12-19 18:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19905
 https://github.com/NetHack/NetHack/commit/f4a840a48f4bcf11757b3d859e9d53cc9d5ef226
 https://github.com/NetHack/NetHack/commit/f001de79542b8c38b1f8e6d7eaefbbd28ab94b47
 https://bugs.debian.org/947005
 https://nethack.org/security/CVE-2019-19905.html
Description:
 NetHack 3.6.x before 3.6.4 is prone to a buffer overflow vulnerability when
 reading very long lines from configuration files. This affects systems that
 have NetHack installed suid/sgid, and shared systems that allow users to
 upload their own configuration files.
Ubuntu-Description:
Notes:
 sbeattie> escalates to group games
Mitigation:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947005
Priority: low
Discovered-by: David Mendenhall
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8 CRITICAL]


Patches_nethack:
 upstream: https://github.com/NetHack/NetHack/commit/f4a840a48f4bcf11757b3d859e9d53cc9d5ef226
 upstream: https://github.com/NetHack/NetHack/commit/f001de79542b8c38b1f8e6d7eaefbbd28ab94b47
upstream_nethack: released (3.6.5)
precise/esm_nethack: DNE
trusty_nethack: ignored (out of standard support)
trusty/esm_nethack: DNE
xenial_nethack: not-affected (code not present)
bionic_nethack: needed
disco_nethack: ignored (reached end-of-life)
eoan_nethack: ignored (reached end-of-life)
focal_nethack: needed
groovy_nethack: not-affected (3.6.6-1)
hirsute_nethack: not-affected (3.6.6-1)
impish_nethack: not-affected (3.6.6-1)
jammy_nethack: not-affected (3.6.6-1)
devel_nethack: not-affected (3.6.6-1)