CVE-2019-19221Out-of-bounds Read in Libarchive

CWE-125Out-of-bounds Read12 documents7 sources
Severity
5.5MEDIUMNVD
EPSS
0.1%
top 76.61%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
LibarchiveDebian LibarchiveCanonical Ubuntu Linux+2 more
Timeline
PublishedNov 21
Latest updateApr 2

Description

In Libarchive 3.4.0, archive_wstring_append_from_mbs in archive_string.c has an out-of-bounds read because of an incorrect mbrtowc or mbtowc call. For example, bsdtar crashes via a crafted archive.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages4 packages

debiandebian/libarchive< libarchive 3.4.2-1 (bookworm)
Debianlibarchive/libarchive< 3.4.2-1+3
Ubuntulibarchive/libarchive< 3.1.2-11ubuntu0.16.04.8+8

Also affects: Debian Linux 10.0, 9.0, Fedora 32, Ubuntu Linux 16.04, 18.04, 19.10

Patches

Patch: github.comPatch: usn.ubuntu.comPatch: github.com

🔴Vulnerability Details

4
OSV
libarchive vulnerabilities2026-04-02
GHSA
GHSA-m55v-6hqc-x3jh: In Libarchive 32022-05-24
OSV
libarchive vulnerabilities2020-03-02
OSV
CVE-2019-19221: In Libarchive 32019-11-21

📋Vendor Advisories

4
Ubuntu
libarchive vulnerabilities2026-04-02
Ubuntu
libarchive vulnerabilities2020-03-02
Red Hat
libarchive: out-of-bounds read in archive_wstring_append_from_mbs in archive_string.c2019-11-21
Debian
CVE-2019-19221: libarchive - In Libarchive 3.4.0, archive_wstring_append_from_mbs in archive_string.c has an ...2019

💬Community

3
Bugzilla
CVE-2019-19221 libarchive: out-of-bounds read in archive_wstring_append_from_mbs in archive_string.c [fedora-all]2020-02-11
Bugzilla
CVE-2019-19221 libarchive: out-of-bounds read in archive_wstring_append_from_mbs in archive_string.c2020-02-11
Bugzilla
CVE-2019-18408 libarchive: use-after-free in archive_read_format_rar_read_data when there is an error in the decompression of an archive entry [fedora-all]2019-11-07