CVE-2019-19221
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2019-19221
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-19221.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2019-19221
- Downstream
- Related
- Published
- 2019-11-21T23:15:13Z
- Modified
- 2025-10-15T10:40:02.318030Z
- Severity
-
- 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- [none]
- Details
-
In Libarchive 3.4.0, archivewstringappendfrommbs in archive_string.c has an out-of-bounds read because of an incorrect mbrtowc or mbtowc call. For example, bsdtar crashes via a crafted archive.
- References
-
- https://github.com/libarchive/libarchive/commit/22b1db9d46654afc6f0c28f90af8cdc84a199f41
- https://github.com/libarchive/libarchive/issues/1276
- https://lists.debian.org/debian-lts-announce/2022/04/msg00020.html
- https://lists.debian.org/debian-lts-announce/2022/11/msg00030.html
- https://usn.ubuntu.com/4293-1/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RHFV25AVTASTWZRF3KTSL357AQ6TYHM4/
Affected packages
Git / github.com/libarchive/libarchive
Affected ranges
- Type
- GIT
- Repo
- https://github.com/libarchive/libarchive
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
v2.*
v2.6.0
v2.6.1
v2.6.2
v2.7.0
v2.7.1
v2.8.0
v2.8.1
v2.8.2
v2.8.3
v2.8.4
v2.8.5
v3.*
v3.0.0a
v3.0.1b
v3.0.2
v3.0.3
v3.0.4
v3.1.0
v3.1.1
v3.1.2
v3.1.900a
v3.1.901a
v3.2.0
v3.2.1
v3.2.2
v3.3.0
v3.3.1
v3.3.2
v3.3.3
v3.4.0
Database specific
vanir_signatures
[
{
"deprecated": false,
"target": {
"file": "libarchive/archive_string.c"
},
"signature_type": "Line",
"source": "https://github.com/libarchive/libarchive/commit/22b1db9d46654afc6f0c28f90af8cdc84a199f41",
"id": "CVE-2019-19221-5e805d5f",
"digest": {
"line_hashes": [
"259493752926620651709142349362849276195",
"230785914983052223447961732927117151371",
"12217636447501291062302553513055680385",
"62405126494858429610787578500845061231",
"179463854991740435999144472805357298736",
"68272709789547205234125986453360853951",
"162410301725275465914806499663084049292",
"39164957372088187268497416633378961709",
"202682923871852641868733101080295891962",
"301086400055508873109432046317611991735",
"74546993610714974430143180538446038077",
"61386143541752768976266999255212136357",
"304739343456208653730853587197886130232",
"69163275847624257713894847667530878779",
"317680709258419472989675329879033315216",
"194390456970727352281349517689519873402",
"337761648969299792289380367460237055379",
"245645095900971998780157229976002940083",
"313689221747533615139444426067652867707",
"71839374558949873560356293840298277327",
"324202677020325561218158605561092244799",
"36678885239641828656854822239115902921",
"63456052592772401547364162085691945315",
"208068655965959195053039668998724809446",
"321372824576092357600368061492307768572",
"115861186337743141515360542569469183063",
"291243398602166245106447150619205573687",
"323333371442874016294651402000641868572",
"247288520912191146938119320438545084272",
"113231134948946292219430299831050015683",
"214748447455728673716737136207566695935",
"194097180572846545798744625891833564381",
"119524074472370788340214959067133643311"
],
"threshold": 0.9
},
"signature_version": "v1"
},
{
"deprecated": false,
"target": {
"file": "libarchive/archive_string.c",
"function": "archive_wstring_append_from_mbs"
},
"signature_type": "Function",
"source": "https://github.com/libarchive/libarchive/commit/22b1db9d46654afc6f0c28f90af8cdc84a199f41",
"id": "CVE-2019-19221-b74e4aa8",
"digest": {
"length": 1063.0,
"function_hash": "15941912786800880371649172928636517809"
},
"signature_version": "v1"
}
]