CVE-2020-21674

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2020-21674

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-21674.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2020-21674

Published

2020-10-15T15:15:11.280Z

Modified

2025-11-14T10:56:10.474402Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVSS Calculator

Summary

[none]

Details

Heap-based buffer overflow in archivestringappendfromwcs() (archive_string.c) in libarchive-3.4.1dev allows remote attackers to cause a denial of service (out-of-bounds write in heap memory resulting into a crash) via a crafted archive file. NOTE: this only affects users who downloaded the development code from GitHub. Users of the product's official releases are unaffected.

References

Affected packages

Git / github.com/libarchive/libarchive

Affected ranges

Type: GIT
Repo: https://github.com/libarchive/libarchive
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

4f085eea879e2be745f4d9bf57e8513ae48157f4

Affected versions

v2.*

v2.6.0

v2.6.1

v2.6.2

v2.7.0

v2.7.1

v2.8.0

v2.8.1

v2.8.2

v2.8.3

v2.8.4

v2.8.5

v3.*

v3.0.0a

v3.0.1b

v3.0.2

v3.0.3

v3.0.4

v3.1.0

v3.1.1

v3.1.2

v3.1.900a

v3.1.901a

v3.2.0

v3.2.1

v3.2.2

v3.3.0

v3.3.1

v3.3.2

v3.3.3

v3.4.0

Database specific

vanir_signatures

[
    {
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "116072633996693821785027581455796757274",
                "263475613020376564928275470288168600925",
                "35946731963817428492056963881029968778",
                "296071922221007169360767292332859772771",
                "220577582959158359478493625985624478790",
                "24629896105847692471971921686267738172",
                "260617937097323827464431308041105301840",
                "265771018612808281715836621317599184067",
                "131567820986708162080378277940629658416",
                "24629896105847692471971921686267738172",
                "260617937097323827464431308041105301840"
            ],
            "threshold": 0.9
        },
        "signature_type": "Line",
        "source": "https://github.com/libarchive/libarchive/commit/4f085eea879e2be745f4d9bf57e8513ae48157f4",
        "signature_version": "v1",
        "target": {
            "file": "libarchive/archive_string.c"
        },
        "id": "CVE-2020-21674-261c3f39"
    },
    {
        "deprecated": false,
        "digest": {
            "length": 1087.0,
            "function_hash": "291484009972018707314609976661061493870"
        },
        "signature_type": "Function",
        "source": "https://github.com/libarchive/libarchive/commit/4f085eea879e2be745f4d9bf57e8513ae48157f4",
        "signature_version": "v1",
        "target": {
            "function": "archive_string_append_from_wcs",
            "file": "libarchive/archive_string.c"
        },
        "id": "CVE-2020-21674-596d9501"
    },
    {
        "deprecated": false,
        "digest": {
            "length": 1202.0,
            "function_hash": "80370799617205615188298360175217438738"
        },
        "signature_type": "Function",
        "source": "https://github.com/libarchive/libarchive/commit/4f085eea879e2be745f4d9bf57e8513ae48157f4",
        "signature_version": "v1",
        "target": {
            "function": "strncat_from_utf8_libarchive2",
            "file": "libarchive/archive_string.c"
        },
        "id": "CVE-2020-21674-c8b835c7"
    }
]