CVE-2019-19221

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2019-19221
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-19221.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2019-19221
Downstream
Related
Published
2019-11-21T23:15:13Z
Modified
2025-09-19T10:52:13.333203Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

In Libarchive 3.4.0, archivewstringappendfrommbs in archive_string.c has an out-of-bounds read because of an incorrect mbrtowc or mbtowc call. For example, bsdtar crashes via a crafted archive.

References

Affected packages

Alpine:v3.15

libarchive

Package

Name
libarchive
Purl
pkg:apk/alpine/libarchive?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.4.2-r0

Affected versions

2.*

2.8.4-r0
2.8.4-r1
2.8.4-r2
2.8.5-r0

3.*

3.0.2-r0
3.0.3-r0
3.0.4-r0
3.1.2-r0
3.1.2-r1
3.1.2-r2
3.2.0-r0
3.2.1-r0
3.2.1-r1
3.2.2-r0
3.2.2-r1
3.3.1-r0
3.3.1-r1
3.3.2-r0
3.3.2-r1
3.3.2-r2
3.3.2-r3
3.3.2-r4
3.3.3-r0
3.4.0-r0
3.4.1-r0

Alpine:v3.16

libarchive

Package

Name
libarchive
Purl
pkg:apk/alpine/libarchive?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.4.2-r0

Affected versions

2.*

2.8.4-r0
2.8.4-r1
2.8.4-r2
2.8.5-r0

3.*

3.0.2-r0
3.0.3-r0
3.0.4-r0
3.1.2-r0
3.1.2-r1
3.1.2-r2
3.2.0-r0
3.2.1-r0
3.2.1-r1
3.2.2-r0
3.2.2-r1
3.3.1-r0
3.3.1-r1
3.3.2-r0
3.3.2-r1
3.3.2-r2
3.3.2-r3
3.3.2-r4
3.3.3-r0
3.4.0-r0
3.4.1-r0

Alpine:v3.18

libarchive

Package

Name
libarchive
Purl
pkg:apk/alpine/libarchive?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.4.2-r0

Affected versions

2.*

2.8.4-r0
2.8.4-r1
2.8.4-r2
2.8.5-r0

3.*

3.0.2-r0
3.0.3-r0
3.0.4-r0
3.1.2-r0
3.1.2-r1
3.1.2-r2
3.2.0-r0
3.2.1-r0
3.2.1-r1
3.2.2-r0
3.2.2-r1
3.3.1-r0
3.3.1-r1
3.3.2-r0
3.3.2-r1
3.3.2-r2
3.3.2-r3
3.3.2-r4
3.3.3-r0
3.4.0-r0
3.4.1-r0

Alpine:v3.19

libarchive

Package

Name
libarchive
Purl
pkg:apk/alpine/libarchive?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.4.2-r0

Affected versions

2.*

2.8.4-r0
2.8.4-r1
2.8.4-r2
2.8.5-r0

3.*

3.0.2-r0
3.0.3-r0
3.0.4-r0
3.1.2-r0
3.1.2-r1
3.1.2-r2
3.2.0-r0
3.2.1-r0
3.2.1-r1
3.2.2-r0
3.2.2-r1
3.3.1-r0
3.3.1-r1
3.3.2-r0
3.3.2-r1
3.3.2-r2
3.3.2-r3
3.3.2-r4
3.3.3-r0
3.4.0-r0
3.4.1-r0

Alpine:v3.20

libarchive

Package

Name
libarchive
Purl
pkg:apk/alpine/libarchive?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.4.2-r0

Affected versions

2.*

2.8.4-r0
2.8.4-r1
2.8.4-r2
2.8.5-r0

3.*

3.0.2-r0
3.0.3-r0
3.0.4-r0
3.1.2-r0
3.1.2-r1
3.1.2-r2
3.2.0-r0
3.2.1-r0
3.2.1-r1
3.2.2-r0
3.2.2-r1
3.3.1-r0
3.3.1-r1
3.3.2-r0
3.3.2-r1
3.3.2-r2
3.3.2-r3
3.3.2-r4
3.3.3-r0
3.4.0-r0
3.4.1-r0

Alpine:v3.21

libarchive

Package

Name
libarchive
Purl
pkg:apk/alpine/libarchive?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.4.2-r0

Affected versions

2.*

2.8.4-r0
2.8.4-r1
2.8.4-r2
2.8.5-r0

3.*

3.0.2-r0
3.0.3-r0
3.0.4-r0
3.1.2-r0
3.1.2-r1
3.1.2-r2
3.2.0-r0
3.2.1-r0
3.2.1-r1
3.2.2-r0
3.2.2-r1
3.3.1-r0
3.3.1-r1
3.3.2-r0
3.3.2-r1
3.3.2-r2
3.3.2-r3
3.3.2-r4
3.3.3-r0
3.4.0-r0
3.4.1-r0

Alpine:v3.22

libarchive

Package

Name
libarchive
Purl
pkg:apk/alpine/libarchive?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.4.2-r0

Affected versions

2.*

2.8.4-r0
2.8.4-r1
2.8.4-r2
2.8.5-r0

3.*

3.0.2-r0
3.0.3-r0
3.0.4-r0
3.1.2-r0
3.1.2-r1
3.1.2-r2
3.2.0-r0
3.2.1-r0
3.2.1-r1
3.2.2-r0
3.2.2-r1
3.3.1-r0
3.3.1-r1
3.3.2-r0
3.3.2-r1
3.3.2-r2
3.3.2-r3
3.3.2-r4
3.3.3-r0
3.4.0-r0
3.4.1-r0

Git

github.com/libarchive/libarchive

Affected ranges

Type
GIT
Repo
https://github.com/libarchive/libarchive
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
22b1db9d46654afc6f0c28f90af8cdc84a199f41

Affected versions

v2.*

v2.6.0
v2.6.1
v2.6.2
v2.7.0
v2.7.1
v2.8.0
v2.8.1
v2.8.2
v2.8.3
v2.8.4
v2.8.5

v3.*

v3.0.0a
v3.0.1b
v3.0.2
v3.0.3
v3.0.4
v3.1.0
v3.1.1
v3.1.2
v3.1.900a
v3.1.901a
v3.2.0
v3.2.1
v3.2.2
v3.3.0
v3.3.1
v3.3.2
v3.3.3
v3.4.0

Database specific 

{
    "vanir_signatures": [
        {
            "deprecated": false,
            "signature_type": "Line",
            "source": "https://github.com/libarchive/libarchive/commit/22b1db9d46654afc6f0c28f90af8cdc84a199f41",
            "signature_version": "v1",
            "target": {
                "file": "libarchive/archive_string.c"
            },
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "259493752926620651709142349362849276195",
                    "230785914983052223447961732927117151371",
                    "12217636447501291062302553513055680385",
                    "62405126494858429610787578500845061231",
                    "179463854991740435999144472805357298736",
                    "68272709789547205234125986453360853951",
                    "162410301725275465914806499663084049292",
                    "39164957372088187268497416633378961709",
                    "202682923871852641868733101080295891962",
                    "301086400055508873109432046317611991735",
                    "74546993610714974430143180538446038077",
                    "61386143541752768976266999255212136357",
                    "304739343456208653730853587197886130232",
                    "69163275847624257713894847667530878779",
                    "317680709258419472989675329879033315216",
                    "194390456970727352281349517689519873402",
                    "337761648969299792289380367460237055379",
                    "245645095900971998780157229976002940083",
                    "313689221747533615139444426067652867707",
                    "71839374558949873560356293840298277327",
                    "324202677020325561218158605561092244799",
                    "36678885239641828656854822239115902921",
                    "63456052592772401547364162085691945315",
                    "208068655965959195053039668998724809446",
                    "321372824576092357600368061492307768572",
                    "115861186337743141515360542569469183063",
                    "291243398602166245106447150619205573687",
                    "323333371442874016294651402000641868572",
                    "247288520912191146938119320438545084272",
                    "113231134948946292219430299831050015683",
                    "214748447455728673716737136207566695935",
                    "194097180572846545798744625891833564381",
                    "119524074472370788340214959067133643311"
                ]
            },
            "id": "CVE-2019-19221-5e805d5f"
        },
        {
            "deprecated": false,
            "signature_type": "Function",
            "source": "https://github.com/libarchive/libarchive/commit/22b1db9d46654afc6f0c28f90af8cdc84a199f41",
            "signature_version": "v1",
            "target": {
                "file": "libarchive/archive_string.c",
                "function": "archive_wstring_append_from_mbs"
            },
            "digest": {
                "function_hash": "15941912786800880371649172928636517809",
                "length": 1063.0
            },
            "id": "CVE-2019-19221-b74e4aa8"
        }
    ]
}